Biblio

Crowdsensing, driven by the proliferation of sensor-rich mobile devices, has emerged as a promising data sensing and aggregation paradigm. Despite useful, traditional crowdsensing systems typically rely on a centralized third-party platform for data collection and processing, which leads to concerns like single point of failure and lack of operation transparency. Such centralization hinders the wide adoption of crowdsensing by wary participants. We therefore explore an alternative design space of building crowdsensing systems atop the emerging decentralized blockchain technology. While enjoying the benefits brought by the public blockchain, we endeavor to achieve a consolidated set of desirable security properties with a proper choreography of latest techniques and our customized designs. We allow data providers to safely contribute data to the transparent blockchain with the confidentiality guarantee on individual data and differential privacy on the aggregation result. Meanwhile, we ensure the service correctness of data aggregation and sanitization by delicately employing hardware-assisted transparent enclave. Furthermore, we maintain the robustness of our system against faulty data providers that submit invalid data, with a customized zero-knowledge range proof scheme. The experiment results demonstrate the high efficiency of our designs on both mobile client and SGX-enabled server, as well as reasonable on-chain monetary cost of running our task contract on Ethereum.

Virtual reality (VR) recently is a promising technique in both industry and academia due to its potential applications in immersive experiences including website, game, tourism, or museum. VR technique provides an amazing 3-Dimensional (3D) experiences by requiring a very high amount of elements such as images, texture, depth, focus length, etc. However, in order to apply VR technique to various devices, especially in mobiles, ultra-high transmission rate and extremely low latency are really big challenge. Considering this problem, this paper proposes a novel combination model by transforming the computing capability of VR device into an equivalent caching amount while remaining low latency and fast transmission. In addition, Classic caching models are used to computing and catching capabilities which is easily apply to multi-user models.

Nowadays, mobile devices have become one of the most popular instruments used by a person on its regular life, mainly due to the importance of their applications. In that context, mobile devices store user's personal information and even more data, becoming a personal tracker for daily activities that provides important information about the user. Derived from this gathering of information, many tools are available to use on mobile devices, with the restrain that each tool only provides isolated information about a specific application or activity. Therefore, the present work proposes a tool that allows investigators to obtain a complete report and timeline of the activities that were performed on the device. This report incorporates the information provided by many sources into a unique set of data. Also, by means of an example, it is presented the operation of the solution, which shows the feasibility in the use of this tool and shows the way in which investigators have to apply the tool.

Outsourcing services to cloud server (CS) becomes popular in these years. However, the outsourced services often involve with sensitive activity and CS naturally becomes a target of varieties of attacks. Even worse, CS itself can misuse the outsourced services for illegal profit. Traditional online banking system also can make use of a cloud framework to provide economical and high-speed online services to the consumers, which makes the financial dealing easy and convenient. Most of the banking organizations provide services through passbook, ATM, mobile banking, electronic banking (e-banking) etc. Among these, the e-banking and mobile banking are more convenient and becomes essential. Therefore, it is critical to provide an efficient, reliable and more importantly, secure e-banking services to the consumers. The cloud environment is suitable paradigm to a new, small and medium scale banking organization as it eliminates the requirement for them to start with small resources and increase gradually as the service demand rises. However, security is one of the main concerns since it deals with many sensitive data of the valuable customers. In addition to this, the access of various data needs to be restricted to prevent any unauthorized transaction. Nagaraju et al. presented a framework to achieve reliability and security in public cloud based online banking using multi-factor authentication concept. Unfortunately, the login and authentication protocol of this framework is prone to impersonation attack. In this paper, we have revised the framework to avoid this attack.

Biometry is often used as a part of the multi-factor authentication in order to improve the security of IT systems. In this paper, we propose the palmprint-based solution for user identity verification. In particular, we present a new approach to feature extraction. The proposed method is based both on texture and color information. Our experiments show that using the proposed hybrid features allows for achieving satisfactory accuracy without increasing requirements for additional computational resources. It is important from our perspective since the proposed method is dedicated to smartphones and other handhelds in mobile verification scenarios.

BYOD (Bring Your Own Device) trends allows employees to use the smartphone as a tool in everyday work and also as an attendance device. The security of employee attendance system is important to ensure that employees do not commit fraud in recording attendance and when monitoring activities at working hours. In this paper, we propose a combination of fingerprint, secure android ID, and GPS as authentication factors, also addition of anti emulator and anti fake location module turn Mobile Attendance System into Mobile Secure Attendance System. Testing based on scenarios that have been adapted to various possible frauds is done to prove whether the system can minimize the occurrence of fraud in attendance recording and monitoring of employee activities.

Mobile Adhoc networks are wireless adhoc networks that have property of self organizing, less infrastructure, multi hoping, which are designed to work under low power vulnerable environment. Due to its very unique characteristics, there is much chances of threat of malicious nodes within the network. Blackhole attack is a menace in MANETs which redirects all traffic to itself and drops it. This paper’s objective is to analyze the effects of blackhole attack under reactive routing protocol such as Adhoc on Demand Distance Vector routing (AODV). The performance of this protocol is assessed to find the vulnerability of attack and also compared the impact of attack on both AODV, AODV with blackhole and proposed AODV protocols. The analysis is done by simulated using NS- 2.35 and QoS parameters such as Throughput, PDR, and Average Energy Consumed are measured further.

Mobile adhoc network are fully autonomous where the nodes act both as node as well as router. Centralization is absent in MANETs. In MANETs nodes are continuously moving and have an open access which put it at a risk of large number of attacks. Security in such networks is therefore a critical matter. In order to find solution to this issue various attacks need to be studied and analyzed. In Blackhole attack, the unauthorized node in the path of source and target nodes takes away the packets sent by the source and drops them by not heading them towards the target node. The malicious behavior launched by Blackhole attack deteriorates the network performance.

Mobile Ad-hoc Networks (MANETs) have gained popularity both in research and in industrial fields. This is due to their ad hoc nature, easy deployment thanks to the lack of fixed infrastructure, self-organization of its components, dynamic topologies and the absence of any central authority for routing. However, MANETs suffer from several vulnerabilities such as battery power, limited memory space, and physical protection of network nodes. In addition, MANETs are sensitive to various attacks that threaten network security like Blackhole attack in its different implementation (single and multiple). In this article, we present the simulation results of single and multiple Blackhole attack in AODV and OLSR protocols on using NS-3.27 simulator. In this simulation, we took into consideration the density of the network described by the number of nodes included in the network, the speed of the nodes, the mobility model and even we chose the IEEE 802.11ac protocol for the pbysicallayer, in order to have a simulation, which deals with more general and more real scenarios. To be able to evaluate the impact of the attack on the network, the Packet delivery rate, Routing overhead, Throughput and Average End to End delay have been chosen as metrics for performance evaluation.

With the rapid growth of mobile devices and mobile apps, mobile has surpassed desktop and now has the largest worldwide market share [1]. While such growth brings in more opportunities, it also poses new challenges in security. Among the challenges, user privacy protection has drawn tremendous attention in recent years, especially after the Facebook-Cambridge Analytica data scandal in April 2018 [2].

The next generation military environment requires a delay-tolerant network for sharing data and resources using an interoperable computerized, Command, Control, Communications, Intelligence, Surveillance and Reconnaissance (C4ISR) infrastructure. In this paper, we propose a new distributed SDN (Software-Defined Networks) architecture for tactical environments based on distributed cloudlets. The objective is to reduce the end-to-end delay of tactical traffic flow, and improve management capabilities, allowing flexible control and network resource allocation. The proposed SDN architecture is implemented over three layers: decentralized cloudlets layer where each cloudlet has its SDRN (Software-Defined Radio Networking) controller, decentralized MEC (Mobile Edge Computing) layer with an SDN controller for each MEC, and a centralized private cloud as a trusted third-part authority controlled by a centralized SDN controller. The experimental validations are done via relevant and realistic tactical scenarios based on strategic traffics loads, i.e., Tactical SMS (Short Message Service), UVs (Unmanned Vehicle) patrol deployment and high bite rate ISR (Intelligence, Surveillance, and Reconnaissance) video.

The concept of network slicing in 5G mobile networks introduces new challenges for security management: Given the combination of Infrastructure-as-a-Service cloud providers, mobile network operators as Software-as-a-Service providers, and the various verticals as customers, multi-layer and multi-tenancy-capable management architectures are required. This paper addresses the challenges for correlation of security events in such 5G scenarios with a focus on event processing at telecommunication service providers. After an analysis of the specific demand for network-slice-centric security event correlation in 5G networks, ongoing standardization efforts, and related research, we propose a multi-tenancy-capable event correlation architecture along with a scalable information model. The event processing, alerting, and correlation workflow is discussed and has been implemented in a network and security management system prototype, leading to a demonstration of first results acquired in a lab setup.

With the rapid development of location-aware mobile devices, location-based services have been widely used. When LBS (Location Based Services) bringing great convenience and profits, it also brings great hidden trouble, among which user privacy security is one of them. The paper builds a LBS privacy protection model and develops algorithm depend on the technology of one dimensional coding of Geohash geographic information. The results of experiments and data measurements show that the model the model has reached k-anonymity effect and has good performance in avoiding attacking from the leaked information in a continuous query with the user's background knowledge. It also has a preferable performance in time cost of system process.

Geo-social applications deal with constantly sharing user's current geographic information in terms of location (Latitude and Longitude). Such application can be used by many people to get information about their surrounding with the help of their friend's locations and their recommendations. But without any privacy protection, these systems can be easily misused by tracking the users. We are proposing Error Based Transformation (ERB) approach for location transformation which provides significantly improved location privacy without adding uncertainty in to query results or relying on strong assumptions about server security. The key insight is to apply secure user-specific, distance-preserving coordinate transformations to all location data shared with the server. Only the friends of a user can get exact co-ordinates by applying inverse transformation with secret key shared with them. Servers can evaluate all location queries correctly on transformed data. ERB privacy mechanism guarantee that servers are unable to see or infer actual location data from the transformed data. ERB privacy mechanism is successful against a powerful adversary model where prototype measurements used to show that it provides with very little performance overhead making it suitable for today's mobile device.

Geo-social applications deal with constantly sharing user's current geographic information in terms of location (Latitude and Longitude). Such application can be used by many people to get information about their surrounding with the help of their friend's locations and their recommendations. But without any privacy protection, these systems can be easily misused by tracking the users. We are proposing Error Based Transformation (ERB) approach for location transformation which provides significantly improved location privacy without adding uncertainty in to query results or relying on strong assumptions about server security. The key insight is to apply secure user-specific, distance-preserving coordinate transformations to all location data shared with the server. Only the friends of a user can get exact co-ordinates by applying inverse transformation with secret key shared with them. Servers can evaluate all location queries correctly on transformed data. ERB privacy mechanism guarantee that servers are unable to see or infer actual location data from the transformed data. ERB privacy mechanism is successful against a powerful adversary model where prototype measurements used to show that it provides with very little performance overhead making it suitable for today's mobile device.

The online advertising ecosystem is built upon the massive data collection of ad networks to learn the properties of users for targeted ad deliveries. Existing efforts have investigated the privacy leakage behaviors of mobile ad networks. However, there lacks a large-scale measurement study to evaluate the scale of privacy leakage through mobile ads. In this work, we present a study of the potential privacy leakage in location-based mobile advertising services based on a large-scale measurement. We first introduce a threat model in the mobile ad ecosystem, and then design a measurement system to perform extensive threat measurements and assessments. To counteract the privacy leakage threats, we design and implement an adaptive location obfuscation mechanism, which can be used to obfuscate location data in real-time while minimizing the impact to mobile ad businesses.

The online advertising ecosystem is built upon the massive data collection of ad networks to learn the properties of users for targeted ad deliveries. Existing efforts have investigated the privacy leakage behaviors of mobile ad networks. However, there lacks a large-scale measurement study to evaluate the scale of privacy leakage through mobile ads. In this work, we present a study of the potential privacy leakage in location-based mobile advertising services based on a large-scale measurement. We first introduce a threat model in the mobile ad ecosystem, and then design a measurement system to perform extensive threat measurements and assessments. To counteract the privacy leakage threats, we design and implement an adaptive location obfuscation mechanism, which can be used to obfuscate location data in real-time while minimizing the impact to mobile ad businesses.

The safety of web browsers is essential to the privacy of Internet users and the security of their computing systems. In the last few years, there have been several cyber attacks geared towards compromising surfers' data and systems via exploiting browser-based vulnerabilities. Android and a number of mobile operating systems have been supporting a UI component called WebView, which can be embedded in any mobile application to render the web contents. Yet, this mini-browser component has been found to be vulnerable to various kinds of attacks. For instance, an attacker in her WebView-Embedded app can inject malicious JavaScripts into the WebView to modify the web contents or to steal user's input values. This kind of attack is particularly challenging due to the full control of attackers over the content of the loaded pages. In this paper, we are proposing and testing a server-side moving target defense technique to counter the risk of JavaScript injection attacks on mobile WebViews. The solution entails creating redundant HTML forms, randomizing their attributes and values, and asserting stealthy prompts for the user data. The solution does not dictate any changes to the browser or applications codes, neither it requires key sharing with benign clients. The results of our performance and security analysis suggest that our proposed approach protects the confidentiality and integrity of user input values with minimum overhead.

Phishing attacks have reached record volumes in recent years. Simultaneously, modern phishing websites are growing in sophistication by employing diverse cloaking techniques to avoid detection by security infrastructure. In this paper, we present PhishFarm: a scalable framework for methodically testing the resilience of anti-phishing entities and browser blacklists to attackers' evasion efforts. We use PhishFarm to deploy 2,380 live phishing sites (on new, unique, and previously-unseen .com domains) each using one of six different HTTP request filters based on real phishing kits. We reported subsets of these sites to 10 distinct anti-phishing entities and measured both the occurrence and timeliness of native blacklisting in major web browsers to gauge the effectiveness of protection ultimately extended to victim users and organizations. Our experiments revealed shortcomings in current infrastructure, which allows some phishing sites to go unnoticed by the security community while remaining accessible to victims. We found that simple cloaking techniques representative of real-world attacks- including those based on geolocation, device type, or JavaScript- were effective in reducing the likelihood of blacklisting by over 55% on average. We also discovered that blacklisting did not function as intended in popular mobile browsers (Chrome, Safari, and Firefox), which left users of these browsers particularly vulnerable to phishing attacks. Following disclosure of our findings, anti-phishing entities are now better able to detect and mitigate several cloaking techniques (including those that target mobile users), and blacklisting has also become more consistent between desktop and mobile platforms- but work remains to be done by anti-phishing entities to ensure users are adequately protected. Our PhishFarm framework is designed for continuous monitoring of the ecosystem and can be extended to test future state-of-the-art evasion techniques used by malicious websites.

The aim of this work is to create a new style web browser. The other web browsers can have safety issues and have many ads and popups. The other web browsers can fill up cache with the logging of big history of visited web pages. This app is a light-weight web browser which is both secure and private with no ads and no popups, just the plain Internet shown in full screen. The app does not store all user data, so the navigation of webpages is done in incognito mode. The app was made to open any new HTML5 web page in a secure and private mode with big focus on loading speed of the web pages.

The Internet of Things (IoT) and mobile systems nowadays are required to perform more intensive computation, such as facial detection, image recognition and even remote gaming, etc. Due to the limited computation performance and power budget, it is sometimes impossible to perform these workloads locally. As high-performance GPUs become more common in the cloud, offloading the computation to the cloud becomes a possible choice. However, due to the fact that offloaded workloads from different devices (belonging to different users) are being computed in the same cloud, security concerns arise. Side channel attacks on GPU systems have been widely studied, where the threat model is the attacker and the victim are running on the same operating system. Recently, major GPU vendors have provided hardware and library support to virtualize GPUs for better isolation among users. This work studies the side channel attacks from one virtual machine to another where both share the same physical GPU. We show that it is possible to infer other user's activities in this setup and can further steal others deep learning model.

Today, Internet of Things (IoT) implements an ecosystem where a panoply of interconnected devices collect data from physical environments and supply them to processing services, on top of which cloud-based applications are built and provided to mobile end users. The undebatable advantages of smart IoT systems clash with the need of a secure and trustworthy environment. In this paper, we propose a service-based methodology based on blockchain and smart contracts for trustworthy evidence collection at the basis of a trustworthy IoT assurance evaluation. The methodology balances the provided level of trustworthiness and its performance, and is experimentally evaluated using Hyperledger fabric blockchain.

TEE(Trusted Execution Environment) has became one of the most popular security features for mobile platforms. Current TEE solutions usually implement secure functions in Trusted applications (TA) running over a trusted OS in the secure world. Host App may access these secure functions through the TEE driver. Unfortunately, such architecture is not very secure. A trusted OS has to be loaded in secure world to support TA running. Thus, the code size in secure world became large. As more and more TA is installed, the secure code size will be further larger and larger. Lots of real attack case have been reported [1]. In this paper, we present a novel TEE constructing method named ALTEE. Different from existing TEE solutions, ALTEE includes secure code in host app, and constructs a trustworthy execution environment for it dynamically whenever the code needs to be run.

With geographic message dissemination, connected vehicles can be served with traffic information in their proximity, thereby positively impacting road safety, traffic management, or routing. Since such messages are typically relevant in a small geographic area, servers only distribute messages to affected vehicles for efficiency reasons. One main challenge is to maintain scalability of the server infrastructure when collecting location updates from vehicles and determining the relevant group of vehicles when messages are distributed to a geographic relevance area, while at the same time respecting the individual user's privacy in accordance with legal regulations. In this paper, we present a framework for geographic message dissemination following the privacy-by-design and privacy-by-default principles, without having to accept efficiency drawbacks compared to conventional server-client based approaches.

In recent years, the number of smart mobile devices has rapidly increased worldwide. This explosion of continuously connected mobile devices has resulted in an exponential growth in the number of publically available mobile Apps. To facilitate the selection of mobile Apps, from various available choices, the App distribution platforms typically rank/recommend Apps based on average star ratings, the number of downloads, and associated reviews - the external aspect of an App. However, these ranking schemes typically tend to ignore critical internal aspects (e.g., security vulnerabilities) of the Apps. Such an omission of internal aspects is certainly not desirable, especially when many of the users do not possess the necessary skills to evaluate the internal aspects and choose an App based on the default ranking scheme which uses the external aspect. In this paper, we build upon our earlier efforts by focusing specifically on the security-related internal aspect of an App and its combination with the external aspect computed from the user reviews by identifying security-related comments.We use this combination to rank-order similar Apps. We evaluate our approach on publicly available Apps from the Google PlayStore and compare our ranking with prevalent ranking techniques such as the average star ratings. The experimental results indicate the effectiveness of our proposed approach.