Visible to the public Biblio

Found 182 results

Filters: Keyword is authorisation  [Clear All Filters]
2017-12-12
Legg, P. A., Buckley, O., Goldsmith, M., Creese, S..  2017.  Automated Insider Threat Detection System Using User and Role-Based Profile Assessment. IEEE Systems Journal. 11:503–512.

Organizations are experiencing an ever-growing concern of how to identify and defend against insider threats. Those who have authorized access to sensitive organizational data are placed in a position of power that could well be abused and could cause significant damage to an organization. This could range from financial theft and intellectual property theft to the destruction of property and business reputation. Traditional intrusion detection systems are neither designed nor capable of identifying those who act maliciously within an organization. In this paper, we describe an automated system that is capable of detecting insider threats within an organization. We define a tree-structure profiling approach that incorporates the details of activities conducted by each user and each job role and then use this to obtain a consistent representation of features that provide a rich description of the user's behavior. Deviation can be assessed based on the amount of variance that each user exhibits across multiple attributes, compared against their peers. We have performed experimentation using ten synthetic data-driven scenarios and found that the system can identify anomalous behavior that may be indicative of a potential threat. We also show how our detection system can be combined with visual analytics tools to support further investigation by an analyst.

Almehmadi, A., El-khatib, K..  2017.  On the Possibility of Insider Threat Prevention Using Intent-Based Access Control (IBAC). IEEE Systems Journal. 11:373–384.

Existing access control mechanisms are based on the concept of identity enrolment and recognition and assume that recognized identity is a synonym to ethical actions, yet statistics over the years show that the most severe security breaches are the results of trusted, identified, and legitimate users who turned into malicious insiders. Insider threat damages vary from intellectual property loss and fraud to information technology sabotage. As insider threat incidents evolve, there exist demands for a nonidentity-based authentication measure that rejects access to authorized individuals who have mal-intents of access. In this paper, we study the possibility of using the user's intention as an access control measure using the involuntary electroencephalogram reactions toward visual stimuli. We propose intent-based access control (IBAC) that detects the intentions of access based on the existence of knowledge about an intention. IBAC takes advantage of the robustness of the concealed information test to assess access risk. We use the intent and intent motivation level to compute the access risk. Based on the calculated risk and risk accepted threshold, the system makes the decision whether to grant or deny access requests. We assessed the model using experiments on 30 participants that proved the robustness of the proposed solution.

Zhu, X., Badr, Y., Pacheco, J., Hariri, S..  2017.  Autonomic Identity Framework for the Internet of Things. 2017 International Conference on Cloud and Autonomic Computing (ICCAC). :69–79.

The Internet of Things (IoT) will connect not only computers and mobile devices, but it will also interconnect smart buildings, houses, and cities, as well as electrical grids, gas plants, and water networks, automobiles, airplanes, etc. IoT will lead to the development of a wide range of advanced information services that are pervasive, cost-effective, and can be accessed from anywhere and at any time. However, due to the exponential number of interconnected devices, cyber-security in the IoT is a major challenge. It heavily relies on the digital identity concept to build security mechanisms such as authentication and authorization. Current centralized identity management systems are built around third party identity providers, which raise privacy concerns and present a single point of failure. In addition, IoT unconventional characteristics such as scalability, heterogeneity and mobility require new identity management systems to operate in distributed and trustless environments, and uniquely identify a particular device based on its intrinsic digital properties and its relation to its human owner. In order to deal with these challenges, we present a Blockchain-based Identity Framework for IoT (BIFIT). We show how to apply our BIFIT to IoT smart homes to achieve identity self-management by end users. In the context of smart home, the framework autonomously extracts appliances signatures and creates blockchain-based identifies for their appliance owners. It also correlates appliances signatures (low level identities) and owners identifies in order to use them in authentication credentials and to make sure that any IoT entity is behaving normally.

2017-11-13
Urien, P..  2016.  Three Innovative Directions Based on Secure Elements for Trusted and Secured IoT Platforms. 2016 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS). :1–2.

This paper presents the foundations of secured and trusted architecture for the Internet of Things platforms, based on Secure Elements (SE). Some IoT networks could be managed by service providers, dealing with smart grids or healthcare. Many platforms are using DTLS or TLS protocols. Therefore SEs running such stacks could provide strong mutual authentication and secure communications. Three future research directions are illustrated by previous experiments. TLS/DTLS SE servers for objects, CoAP DTLS clients for SIM modules, and RACS authorization servers based on SE TLS servers.

Walsh, K..  2016.  TLS with trustworthy certificate authorities. 2016 IEEE Conference on Communications and Network Security (CNS). :516–524.

Cloud platforms can leverage Trusted Platform Modules to help provide assurance to clients that cloud-based Web services are trustworthy and behave as expected. We discuss a variety of approaches to providing this assurance, and we implement one approach based on the concept of a trustworthy certificate authority. TaoCA, our prototype implementation, links cryptographic attestations from a cloud platform, including a Trusted Platform Module, with existing TLS-based authentication mechanisms. TaoCA is designed to enable certificate authorities, browser vendors, system administrators, and end users to define and enforce a range of trust policies for web services. Evaluation of the prototype implementation demonstrates the feasibility of the design, illustrates performance tradeoffs, and serves as an end-to-end, proof-of-concept evaluation of underlying trustworthy computing abstractions. The proposed approach can be deployed incrementally and provides new benefits while retaining compatibility with the existing public key infrastructure used for TLS. 

Yu, F., Chen, L., Zhang, H..  2016.  Virtual TPM Dynamic Trust Extension Suitable for Frequent Migrations. 2016 IEEE Trustcom/BigDataSE/ISPA. :57–65.

This paper has presented an approach of vTPM (virtual Trusted Platform Module) Dynamic Trust Extension (DTE) to satisfy the requirements of frequent migrations. With DTE, vTPM is a delegation of the capability of signing attestation data from the underlying pTPM (physical TPM), with one valid time token issued by an Authentication Server (AS). DTE maintains a strong association between vTPM and its underlying pTPM, and has clear distinguishability between vTPM and pTPM because of the different security strength of the two types of TPM. In DTE, there is no need for vTPM to re-acquire Identity Key (IK) certificate(s) after migration, and pTPM can have a trust revocation in real time. Furthermore, DTE can provide forward security. Seen from the performance measurements of its prototype, DTE is feasible.

2017-11-03
Alobaidan, I., Mackay, M., Tso, P..  2016.  Build Trust in the Cloud Computing - Isolation in Container Based Virtualisation. 2016 9th International Conference on Developments in eSystems Engineering (DeSE). :143–148.

Cloud computing is revolutionizing many IT ecosystems through offering scalable computing resources that are easy to configure, use and inter-connect. However, this model has always been viewed with some suspicion as it raises a wide range of security and privacy issues that need to be negotiated. This research focuses on the construction of a trust layer in cloud computing to build a trust relationship between cloud service providers and cloud users. In particular, we address the rise of container-based virtualisation has a weak isolation compared to traditional VMs because of the shared use of the OS kernel and system components. Therefore, we will build a trust layer to solve the issues of weaker isolation whilst maintaining the performance and scalability of the approach. This paper has two objectives. Firstly, we propose a security system to protect containers from other guests through the addition of a Role-based Access Control (RBAC) model and the provision of strict data protection and security. Secondly, we provide a stress test using isolation benchmarking tools to evaluate the isolation in containers in term of performance.

2017-03-13
Kamoona, M., El-Sharkawy, M..  Submitted.  FlexiWi-Fi Security Manager Using Freescale Embedded System. 2015 2nd International Conference on Information Science and Security (ICISS). :1–4.

Among the current Wi-Fi two security models (Enterprise and Personal), while the Enterprise model (802.1X) offers an effective framework for authenticating and controlling the user traffic to a protected network, the Personal model (802.11) offers the cheapest and the easiest to setup solution. However, the drawback of the personal model implementation is that all access points and client radio NIC on the wireless LAN should use the same encryption key. A major underlying problem of the 802.11 standard is that the pre-shared keys are cumbersome to change. So if those keys are not updated frequently, unauthorized users with some resources and within a short timeframe can crack the key and breach the network security. The purpose of this paper is to propose and implement an effective method for the system administrator to manage the users connected to a router, update the keys and further distribute them for the trusted clients using the Freescale embedded system, Infrared and Bluetooth modules.

2017-03-08
D'Lima, N., Mittal, J..  2015.  Password authentication using Keystroke Biometrics. 2015 International Conference on Communication, Information Computing Technology (ICCICT). :1–6.

The majority of applications use a prompt for a username and password. Passwords are recommended to be unique, long, complex, alphanumeric and non-repetitive. These reasons that make passwords secure may prove to be a point of weakness. The complexity of the password provides a challenge for a user and they may choose to record it. This compromises the security of the password and takes away its advantage. An alternate method of security is Keystroke Biometrics. This approach uses the natural typing pattern of a user for authentication. This paper proposes a new method for reducing error rates and creating a robust technique. The new method makes use of multiple sensors to obtain information about a user. An artificial neural network is used to model a user's behavior as well as for retraining the system. An alternate user verification mechanism is used in case a user is unable to match their typing pattern.

Huang, J., Hou, D., Schuckers, S., Hou, Z..  2015.  Effect of data size on performance of free-text keystroke authentication. IEEE International Conference on Identity, Security and Behavior Analysis (ISBA 2015). :1–7.

Free-text keystroke authentication has been demonstrated to be a promising behavioral biometric. But unlike physiological traits such as fingerprints, in free-text keystroke authentication, there is no natural way to identify what makes a sample. It remains an open problem as to how much keystroke data are necessary for achieving acceptable authentication performance. Using public datasets and two existing algorithms, we conduct two experiments to investigate the effect of the reference profile size and test sample size on False Alarm Rate (FAR) and Imposter Pass Rate (IPR). We find that (1) larger reference profiles will drive down both IPR and FAR values, provided that the test samples are large enough, and (2) larger test samples have no obvious effect on IPR, regardless of the reference profile size. We discuss the practical implication of our findings.

Antal, M., Szabó, L. Z..  2015.  An Evaluation of One-Class and Two-Class Classification Algorithms for Keystroke Dynamics Authentication on Mobile Devices. 2015 20th International Conference on Control Systems and Computer Science. :343–350.

In this paper we study keystroke dynamics as an authentication mechanism for touch screen based devices. The authentication process decides whether the identity of a given person is accepted or rejected. This can be easily implemented by using a two-class classifier which operates with the help of positive samples (belonging to the authentic person) and negative ones. However, collecting negative samples is not always a viable option. In such cases a one-class classification algorithm can be used to characterize the target class and distinguish it from the outliers. We implemented an authentication test-framework that is capable of working with both one-class and two-class classification algorithms. The framework was evaluated on our dataset containing keystroke samples from 42 users, collected from touch screen-based Android devices. Experimental results yield an Equal Error Rate (EER) of 3% (two-class) and 7% (one-class) respectively.

Alotaibi, S., Furnell, S., Clarke, N..  2015.  Transparent authentication systems for mobile device security: A review. 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST). :406–413.

Sensitive data such as text messages, contact lists, and personal information are stored on mobile devices. This makes authentication of paramount importance. More security is needed on mobile devices since, after point-of-entry authentication, the user can perform almost all tasks without having to re-authenticate. For this reason, many authentication methods have been suggested to improve the security of mobile devices in a transparent and continuous manner, providing a basis for convenient and secure user re-authentication. This paper presents a comprehensive analysis and literature review on transparent authentication systems for mobile device security. This review indicates a need to investigate when to authenticate the mobile user by focusing on the sensitivity level of the application, and understanding whether a certain application may require a protection or not.

Roth, J., Liu, X., Ross, A., Metaxas, D..  2015.  Investigating the Discriminative Power of Keystroke Sound. IEEE Transactions on Information Forensics and Security. 10:333–345.
The goal of this paper is to determine whether keystroke sound can be used to recognize a user. In this regard, we analyze the discriminative power of keystroke sound in the context of a continuous user authentication application. Motivated by the concept of digraphs used in modeling keystroke dynamics, a virtual alphabet is first learned from keystroke sound segments. Next, the digraph latency within the pairs of virtual letters, along with other statistical features, is used to generate match scores. The resultant scores are indicative of the similarities between two sound streams, and are fused to make a final authentication decision. Experiments on both static text-based and free text-based authentications on a database of 50 subjects demonstrate the potential as well as the limitations of keystroke sound.
Mondal, S., Bours, P..  2015.  Continuous Authentication in a real world settings. 2015 Eighth International Conference on Advances in Pattern Recognition (ICAPR). :1–6.

Continuous Authentication by analysing the user's behaviour profile on the computer input devices is challenging due to limited information, variability of data and the sparse nature of the information. As a result, most of the previous research was done as a periodic authentication, where the analysis was made based on a fixed number of actions or fixed time period. Also, the experimental data was obtained for most of the previous research in a very controlled condition, where the task and environment were fixed. In this paper, we will focus on actual continuous authentication that reacts on every single action performed by the user. The experimental data was collected in a complete uncontrolled condition from 52 users by using our data collection software. In our analysis, we have considered both keystroke and mouse usages behaviour pattern to avoid a situation where an attacker avoids detection by restricting to one input device because the continuous authentication system only checks the other input device. The result we have obtained from this research is satisfactory enough for further investigation on this domain.

Morales, A., Luna-Garcia, E., Fierrez, J., Ortega-Garcia, J..  2015.  Score normalization for keystroke dynamics biometrics. 2015 International Carnahan Conference on Security Technology (ICCST). :223–228.

This paper analyzes score normalization for keystroke dynamics authentication systems. Previous studies have shown that the performance of behavioral biometric recognition systems (e.g. voice and signature) can be largely improved with score normalization and target-dependent techniques. The main objective of this work is twofold: i) to analyze the effects of different thresholding techniques in 4 different keystroke dynamics recognition systems for real operational scenarios; and ii) to improve the performance of keystroke dynamics on the basis of target-dependent score normalization techniques. The experiments included in this work are worked out over the keystroke pattern of 114 users from two different publicly available databases. The experiments show that there is large room for improvements in keystroke dynamic systems. The results suggest that score normalization techniques can be used to improve the performance of keystroke dynamics systems in more than 20%. These results encourage researchers to explore this research line to further improve the performance of these systems in real operational environments.

Pisani, P. H., Lorena, A. C., Carvalho, A. C. P. L. F. d.  2015.  Ensemble of Adaptive Algorithms for Keystroke Dynamics. 2015 Brazilian Conference on Intelligent Systems (BRACIS). :310–315.

Biometric systems have been applied to improve the security of several computational systems. These systems analyse physiological or behavioural features obtained from the users in order to perform authentication. Biometric features should ideally meet a number of requirements, including permanence. In biometrics, permanence means that the analysed biometric feature will not change over time. However, recent studies have shown that this is not the case for several biometric modalities. Adaptive biometric systems deal with this issue by adapting the user model over time. Some algorithms for adaptive biometrics have been investigated and compared in the literature. In machine learning, several studies show that the combination of individual techniques in ensembles may lead to more accurate and stable decision models. This paper investigates the usage of some ensemble approaches to combine the output of current adaptive algorithms for biometrics. The experiments are carried out on keystroke dynamics, a biometric modality known to be subject to change over time.

Bertino, E., Hartman, N. W..  2015.  Cybersecurity for product lifecycle management a research roadmap. 2015 IEEE International Conference on Intelligence and Security Informatics (ISI). :114–119.

This paper introduces a research agenda focusing on cybersecurity in the context of product lifecycle management. The paper discusses research directions on critical protection techniques, including protection techniques from insider threat, access control systems, secure supply chains and remote 3D printing, compliance techniques, and secure collaboration techniques. The paper then presents an overview of DBSAFE, a system for protecting data from insider threat.

Yang, K., Forte, D., Tehranipoor, M. M..  2015.  Protecting endpoint devices in IoT supply chain. 2015 IEEE/ACM International Conference on Computer-Aided Design (ICCAD). :351–356.

The Internet of Things (IoT), an emerging global network of uniquely identifiable embedded computing devices within the existing Internet infrastructure, is transforming how we live and work by increasing the connectedness of people and things on a scale that was once unimaginable. In addition to increased communication efficiency between connected objects, the IoT also brings new security and privacy challenges. Comprehensive measures that enable IoT device authentication and secure access control need to be established. Existing hardware, software, and network protection methods, however, are designed against fraction of real security issues and lack the capability to trace the provenance and history information of IoT devices. To mitigate this shortcoming, we propose an RFID-enabled solution that aims at protecting endpoint devices in IoT supply chain. We take advantage of the connection between RFID tag and control chip in an IoT device to enable data transfer from tag memory to centralized database for authentication once deployed. Finally, we evaluate the security of our proposed scheme against various attacks.

2017-03-07
Nirmal, K., Janet, B., Kumar, R..  2015.  Phishing - the threat that still exists. 2015 International Conference on Computing and Communications Technologies (ICCCT). :139–143.

Phishing is an online security attack in which the hacker aims in harvesting sensitive information like passwords, credit card information etc. from the users by making them to believe what they see is what it is. This threat has been into existence for a decade and there has been continuous developments in counter attacking this threat. However, statistical study reveals how phishing is still a big threat to today's world as the online era booms. In this paper, we look into the art of phishing and have made a practical analysis on how the state of the art anti-phishing systems fail to prevent Phishing. With the loop-holes identified in the state-of-the-art systems, we move ahead paving the roadmap for the kind of system that will counter attack this online security threat more effectively.

Kolahi, S. S., Treseangrat, K., Sarrafpour, B..  2015.  Analysis of UDP DDoS flood cyber attack and defense mechanisms on Web Server with Linux Ubuntu 13. 2015 International Conference on Communications, Signal Processing, and their Applications (ICCSPA). :1–5.

Denial of Service (DoS) attacks is one of the major threats and among the hardest security problems in the Internet world. Of particular concern are Distributed Denial of Service (DDoS) attacks, whose impact can be proportionally severe. With little or no advance warning, an attacker can easily exhaust the computing resources of its victim within a short period of time. In this paper, we study the impact of a UDP flood attack on TCP throughput, round-trip time, and CPU utilization for a Web Server with the new generation of Linux platform, Linux Ubuntu 13. This paper also evaluates the impact of various defense mechanisms, including Access Control Lists (ACLs), Threshold Limit, Reverse Path Forwarding (IP Verify), and Network Load Balancing. Threshold Limit is found to be the most effective defense.

Choi, S., Zage, D., Choe, Y. R., Wasilow, B..  2015.  Physically Unclonable Digital ID. 2015 IEEE International Conference on Mobile Services. :105–111.

The Center for Strategic and International Studies estimates the annual cost from cyber crime to be more than \$400 billion. Most notable is the recent digital identity thefts that compromised millions of accounts. These attacks emphasize the security problems of using clonable static information. One possible solution is the use of a physical device known as a Physically Unclonable Function (PUF). PUFs can be used to create encryption keys, generate random numbers, or authenticate devices. While the concept shows promise, current PUF implementations are inherently problematic: inconsistent behavior, expensive, susceptible to modeling attacks, and permanent. Therefore, we propose a new solution by which an unclonable, dynamic digital identity is created between two communication endpoints such as mobile devices. This Physically Unclonable Digital ID (PUDID) is created by injecting a data scrambling PUF device at the data origin point that corresponds to a unique and matching descrambler/hardware authentication at the receiving end. This device is designed using macroscopic, intentional anomalies, making them inexpensive to produce. PUDID is resistant to cryptanalysis due to the separation of the challenge response pair and a series of hash functions. PUDID is also unique in that by combining the PUF device identity with a dynamic human identity, we can create true two-factor authentication. We also propose an alternative solution that eliminates the need for a PUF mechanism altogether by combining tamper resistant capabilities with a series of hash functions. This tamper resistant device, referred to as a Quasi-PUDID (Q-PUDID), modifies input data, using a black-box mechanism, in an unpredictable way. By mimicking PUF attributes, Q-PUDID is able to avoid traditional PUF challenges thereby providing high-performing physical identity assurance with or without a low performing PUF mechanism. Three different application scenarios with mobile devices for PUDID and Q-PUDI- have been analyzed to show their unique advantages over traditional PUFs and outline the potential for placement in a host of applications.

2017-02-27
Abd, S. K., Salih, R. T., Al-Haddad, S. A. R., Hashim, F., Abdullah, A. B. H., Yussof, S..  2015.  Cloud computing security risks with authorization access for secure Multi-Tenancy based on AAAS protocol. TENCON 2015 - 2015 IEEE Region 10 Conference. :1–5.

Many cloud security complexities can be concerned as a result of its open system architecture. One of these complexities is multi-tenancy security issue. This paper discusses and addresses the most common public cloud security complexities focusing on Multi-Tenancy security issue. Multi-tenancy is one of the most important security challenges faced by public cloud services providers. Therefore, this paper presents a secure multi-tenancy architecture using authorization model Based on AAAS protocol. By utilizing cloud infrastructure, access control can be provided to various cloud information and services by our suggested authorization system. Each business can offer several cloud services. These cloud services can cooperate with other services which can be related to the same organization or different one. Moreover, these cooperation agreements are supported by our suggested system.

2017-02-23
I. Mukherjee, R. Ganguly.  2015.  "Privacy preserving of two sixteen-segmented image using visual cryptography". 2015 IEEE International Conference on Research in Computational Intelligence and Communication Networks (ICRCICN). :417-422.

With the advancement of technology, the world has not only become a better place to live in but have also lost the privacy and security of shared data. Information in any form is never safe from the hands of unauthorized accessing individuals. Here, in our paper we propose an approach by which we can preserve data using visual cryptography. In this paper, two sixteen segment displayed text is broken into two shares that does not reveal any information about the original images. By this process we have obtained satisfactory results in statistical and structural testes.

2017-02-14
P. Dahake, S. Nimbhorkar.  2015.  "Hybrid cryptosystem for maintaining image integrity using biometric fingerprint". 2015 International Conference on Pervasive Computing (ICPC). :1-5.

Integrity of image data plays an important role in data communication. Image data contain confidential information so it is very important to protect data from intruder. When data is transmitted through the network, there may be possibility that data may be get lost or damaged. Existing system does not provide all functionality for securing image during transmission. i.e image compression, encryption and user authentication. In this paper hybrid cryptosystem is proposed in which biometric fingerprint is used for key generation which is further useful for encryption purpose. Secret fragment visible mosaic image method is used for secure transmission of image. For reducing the size of image lossless compression technique is used which leads to the fast transmission of image data through transmission channel. The biometric fingerprint is useful for authentication purpose. Biometric method is more secure method of authentication because it requires physical presence of human being and it is untraceable.

J. Vukalović, D. Delija.  2015.  "Advanced Persistent Threats - detection and defense". 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO). :1324-1330.

The term “Advanced Persistent Threat” refers to a well-organized, malicious group of people who launch stealthy attacks against computer systems of specific targets, such as governments, companies or military. The attacks themselves are long-lasting, difficult to expose and often use very advanced hacking techniques. Since they are advanced in nature, prolonged and persistent, the organizations behind them have to possess a high level of knowledge, advanced tools and competent personnel to execute them. The attacks are usually preformed in several phases - reconnaissance, preparation, execution, gaining access, information gathering and connection maintenance. In each of the phases attacks can be detected with different probabilities. There are several ways to increase the level of security of an organization in order to counter these incidents. First and foremost, it is necessary to educate users and system administrators on different attack vectors and provide them with knowledge and protection so that the attacks are unsuccessful. Second, implement strict security policies. That includes access control and restrictions (to information or network), protecting information by encrypting it and installing latest security upgrades. Finally, it is possible to use software IDS tools to detect such anomalies (e.g. Snort, OSSEC, Sguil).