ICISSP 2019 Abstracts


Full Papers
Paper Nr: 5
Title:

SPROOF: A Platform for Issuing and Verifying Documents in a Public Blockchain

Authors:

Clemens Brunner, Fabian Knirsch and Dominik Engel

Abstract: Managing educational certificates or records of personal achievements often comes at the cost of handling documents, loss of data or malicious counterfeits. Especially in the case of printed certificates, both the origin and the integrity of certificates are hard to verify. Furthermore, such documents can be lost or destroyed due to unseen circumstances. Reissuing certificates can then be cost intensive, hard or impossible, e.g., if the issuing organization has been closed. While issuing and signing documents digitally solves some of these issues, this still requires centralized trusted infrastructures and still does not allow for easy verification or recovery of lost documents. In this paper, we present SPROOF, a platform for issuing, managing and verifying digital documents in a public blockchain. In the proposed approach, all data needed for verification of documents and issuers is stored decentralized, transparent, and integrity protected. The platform is permissionless and thus no access restrictions apply. Rather, following principles of the Web of Trust, issuers can confirm each other in a decentralized way. Additionally, scalability and privacy issues are taken into consideration.

Paper Nr: 6
Title:

Are You Ready When It Counts? IT Consulting Firm’s Information Security Incident Management

Authors:

Maja Nyman and Christine Große

Abstract: Information security incidents are increasing both in number and in scope. In consequence, the General Data Protection Regulation and the Directive on security of network and information systems force organisations to report such incidents to a supervision authority. Due to the growing of both the importance of managing incidents and the tendency to outsourcing, this study focuses on IT-consulting firms and highlights their vulnerable position as subcontractors. This study thereby addresses the lack of empirical research on incident management and contributes valuable insights in IT-consulting firms’ experiences with information security incident management. Evidence from interviews and a survey with experts at IT-consulting firms focuses on challenges in managing information security incidents. The analyses identify and clarify both new and known challenges, such as how the recent regulations affect the role of an IT-consulting firm and how the absence of major incidents influences stakeholder awareness. Improvements of IT-consulting firm’s incident management process need to address internal and external communication, the information security awareness of employees and customers and the adequacy of the cost focus.

Paper Nr: 10
Title:

Zero-sum Distinguishers for Round-reduced GIMLI Permutation

Authors:

Jiahao Cai, Zihao Wei, Yingjie Zhang, Siwei Sun and Lei Hu

Abstract: GIMLI is a 384-bit permutation proposed by Bernstein et al. at CHES 2017. It is designed with the goal of achieving both high security and high performance across a wide range of hardware and software platforms. Since GIMLI can be used as a building block for many cryptographic schemes, it is important to understand its concrete security. To the best of our knowledge, third party cryptanalysis of GIMLI is limited. In this paper, we identify some zero-sum distinguishers for 14-round GIMLI with the inside-out technique, which are one-round longer than the integral distinguishers presented by the designers. Although we obtain improved cryptanalysis results, these zero-sum distinguishers are far from threatening the full version of GIMLI.

Paper Nr: 13
Title:

Identity-based TLS for Cloud of Chips

Authors:

Gaurav Sharma, Soultana Ellinidou, Tristan Vanspouwen, Théo Rigas, Jean-Michel Dricot and Olivier Markowitch

Abstract: In this work, we implement an identity-based Transport Layer Security (ID-TLS) protocol and integrate it on scalable multiprocessor system-on-chip (MPSoC), namely Cloud-of-Chips (CoC), in order to secure the SDN communication on this platform. We select two identity-based encryption schemes that are more likely to meet the performance and resource constraints on the target platform. The schemes are Sakai-Kasahara’s identity-based encryption (SK-IBE) and the optimized identity-based encryption (OIBE) for lightweight devices by Guo et al.. The results assert that both the schemes have their computation vs storage trade-off. The SK-IBE algorithm is significantly more computationally efficient than its OIBE counterpart while SK-IBE uses around 30 percent more memory than OIBE. However, the performance results of ID-TLS favor SK-IBE over OIBE. Finally, ID-TLS is integrated in the existing OpenFlow switch and controller implementations. This brings us to a fully functional and secure ID-TLS implementation on CoC, keeping the platform constraints in consideration.

Paper Nr: 15
Title:

Mobile Devices as Digital Sextants for Zero-Permission Geolocation

Authors:

Lorenz Schwittmann, Matthäus Wander and Torben Weis

Abstract: Sensors in mobile devices can be used to infer information about a user’s context, most notably the location. Android apps and websites shown in Firefox for Android allow software to read the ambient light sensor, gyroscope and accelerometer without asking the user for permission. We show that these three sensors are sufficient to determine the rough geographical location of a user by turning the mobile device into a digital sextant. Despite low-quality sensor data, our approach is able to determine the position of the sun and thereby the geographical area where the user is located. Our approach works even if the user holding the device does not cooperate in being located or employs location-disguising techniques such as a VPN. We analyze in detail the different error sources and show in which settings and situations our approach works best. The location accuracy was at best 146 km with a medium accuracy better than 500 km. Truncating the positional sensor readings minimizes the privacy threat, while truncation of the ambient light sensor has almost no effect.

Paper Nr: 20
Title:

Experiment on Side-Channel Key-Recovery using a Real LPWA End-device

Authors:

Kazuhide Fukushima, Damien Marion, Yuto Nakano, Adrien Facon, Shinsaku Kiyomoto and Sylvain Guilley

Abstract: The Internet of things (IoT) has come into widespread use, and data protection and integrity are critical for connected IoT devices in order to maintain security and privacy. Low-power wide-area (LPWA) technologies for IoT wireless communication achieve data protection and integrity by using encryption and message authentication. However, side-channel analysis techniques exist that have the capacity to recover secret information from a device. In this paper, we apply a side-channel analysis technique to the payload encryption process and message authentication code generation process on a real LoRaWAN end-device. The entire AES-128 key for the payload encryption can be recovered with 260 electromagnetic(EM)-leakage traces and 12 bytes of the key for message authentication code generation can be recovered with 140 EM-leakage traces.

Paper Nr: 25
Title:

Nonsense Attacks on Google Assistant and Missense Attacks on Amazon Alexa

Authors:

Mary K. Bispham, Ioannis Agrafiotis and Michael Goldsmith

Abstract: This paper presents novel attacks on voice-controlled digital assistants using nonsensical word sequences. We present the results of a small-scale experiment which demonstrates that it is possible for malicious actors to gain covert access to a voice-controlled system by hiding commands in apparently nonsensical sounds of which the meaning is opaque to humans. Several instances of nonsensical word sequences were identified which triggered a target command in a voice-controlled digital assistant, but which were incomprehensible to humans, as shown in tests with human experimental subjects. Our work confirms the potential for hiding malicious voice commands to voice-controlled digital assistants or other speech-controlled devices in speech sounds which are perceived by humans as nonsensical. This paper also develops a novel attack concept which involves gaining unauthorised access to a voice-controlled system using apparently unrelated utterances. We present the results of a proof-of-concept study showing that it is possible to trigger actions in a voice-controlled digital assistant using utterances which are accepted by the system as a target command despite having a different meaning to the command in terms of human understanding.

Paper Nr: 26
Title:

Remote Exploit Development for Cyber Red Team Computer Network Operations Targeting Industrial Control Systems

Authors:

Bernhards Blumbergs

Abstract: Cyber red teaming and its techniques, tactics and procedures have to be constantly developed to identify, counter and respond to sophisticated threats targeting critical infrastructures. This paper focuses on cyber red team technical arsenal development within conducted fast paced computer network operation case studies against the critical infrastructure operators. Technical attack details are revealed, attack tool released publicly and countermeasures proposed for the critical vulnerabilities found in the industrial devices and highly used communication protocols throughout the Europe. The exploits are developed in a reference system, verified in real cyber red teaming operations, responsibly disclosed to involved entities, and integrated within international cyber defence exercise adversary campaigns.

Paper Nr: 39
Title:

Sensing Danger: Exploiting Sensors to Build Covert Channels

Authors:

Thomas Ulz, Markus Feldbacher, Thomas Pieber and Christian Steger

Abstract: Recent incidents have shown that sensor-equipped devices can be used by adversaries to perform malicious activities, such as spying on end-users or for industrial espionage. In this paper, we present a novel attack scenario that uses unsecured embedded sensors to build covert channels that can be used to bypass security mechanisms and transfer information between isolated processes. We present covert channels that require read- and write-access for sensor registers as well as a covert channel that transfers data by just triggering sensor readings so that malicious behavior cannot be distinguished from normal sensor usage. For each presented covert channel we discuss the trade-off between data rate and the likelihood of being detected as well as potential countermeasures. The fastest covert channel we implemented achieves a data rate of 4844 bit/s while the stealthiest but slower covert channel cannot be distinguished from normal user behavior. To highlight the significance of these security issues, we used popular platforms, such as Linux and Android, to evaluate the presented covert channels. However, we do not make any assumption regarding the device’s platform, and thus we believe that the presented exploits pose a significant security risk for any sensor-equipped device.

Paper Nr: 47
Title:

Accomplishing Transparency within the General Data Protection Regulation

Authors:

Dayana Spagnuelo, Ana Ferreira and Gabriele Lenzini

Abstract: Transparency is a user-centric principle proposed to empower users to hold data processors accountable for the usage and the processing of the user’s personal data. Accomplishing transparency may come with some resistance because it requires significant architectural changes, but it is mandatory by law under the recently approved General Data Protection Regulation. To help the transition, we systematically review what Transparency Enhancing Technologies can help to accomplish transparency in agreement with technical requirements that we elicited from the Regulation’s articles. We discuss our findings in the domain of medical data systems, where accomplishing transparency looks particularly controversial due to sensitivity of the personal medical data.

Paper Nr: 56
Title:

A Decentralized Solution for Combinatorial Testing of Access Control Engine

Authors:

Said Daoudagh, Francesca Lonetti and Eda Marchetti

Abstract: In distributed environments, information security is a key factor and access control is an important means to guarantee confidentiality of sensitive and valuable data. In this paper, we introduce a new decentralized framework for testing of XACML-based access control engines. The proposed framework is composed of different web services and provides the following functionalities: i) generation of test cases based on combinatorial testing strategies; ii) decentralized oracle that associates the expected result to a given test case, i.e. an XACML request; and finally, iii) a GUI for interacting with the framework and providing some analysis about the expected results. A first validation confirms the efficiency of the proposed approach.

Paper Nr: 61
Title:

Extracting Vehicle Sensor Signals from CAN Logs for Driver Re-identification

Authors:

Szilvia Lestyán, Gergely Acs, Gergely Biczók and Zsolt Szalay

Abstract: Data is the new oil for the car industry. Cars generate data about how they are used and who’s behind the wheel which gives rise to a novel way of profiling individuals. Several prior works have successfully demonstrated the feasibility of driver re-identification using the in-vehicle network data captured on the vehicle’s CAN (Controller Area Network) bus. However, all of them used signals (e.g., velocity, brake pedal or accelerator position) that have already been extracted from the CAN log which is itself not a straightforward process. Indeed, car manufacturers intentionally do not reveal the exact signal location within CAN logs. Nevertheless, we show that signals can be efficiently extracted from CAN logs using machine learning techniques. We exploit that signals have several distinguishing statistical features which can be learnt and effectively used to identify them across different vehicles, that is, to quasi ”reverse-engineer” the CAN protocol. We also demonstrate that the extracted signals can be successfully used to re-identify individuals in a dataset of 33 drivers. Therefore, not revealing signal locations in CAN logs per se does not prevent them to be regarded as personal data of drivers.

Paper Nr: 65
Title:

Behavioral Biometric Authentication in Android Unlock Patterns through Machine Learning

Authors:

José Torres, Sergio L. Santos, Efthimios Alepis and Constantinos Patsakis

Abstract: The penetration of ICT in our everyday lives has introduced numerous automations, and the continuous need for communication has made mobile devices indispensable. As a result, there is an ever-increasing deployment of services for which users need to authenticate. While the use of plain passwords is the default, many applications require higher standards of security, such as drawn patterns and fingerprints, used mostly to authenticate users and unlock their smart devices. In this work we propose a biometrics-based machine learning approach that supports user authentication in Android to augment native user authentication mechanisms, making the process more seamless and secure. Our evaluation results show very high rates of success, both for authenticating the legitimate user and also for rejecting the false ones. Finally, we showcase how the proposed solution can be deployed in non-rooted devices.

Paper Nr: 87
Title:

Hypervisor-assisted Atomic Memory Acquisition in Modern Systems

Authors:

Michael Kiperberg, Roee Leon, Amit Resh, Asaf Algawi and Nezer Zaidenberg

Abstract: Reliable memory acquisition is essential to forensic analysis of a cyber-crime. Various methods of memory acquisition have been proposed, ranging from tools based on a dedicated hardware to software only solutions. Recently, a hypervisor-based method for memory acquisition was proposed (Qi et al., 2017; Martignoni et al., 2010). This method obtains a reliable (atomic) memory image of a running system. The method achieves this by making all memory pages non-writable until they are copied to the memory image, thus preventing uncontrolled modification of these pages. Unfortunately, the proposed method has two deficiencies: (1) the method does not support multiprocessing and (2) the method does not support modern operating systems featuring address space layout randomization (ASLR). We describe a hypervisor-based memory acquisition method that solves the two aforementioned deficiencies. We analyze the memory usage and performance of the proposed method.

Paper Nr: 103
Title:

SC2Share: Smart Contract for Secure Car Sharing

Authors:

Akash Madhusudan, Iraklis Symeonidis, Mustafa A. Mustafa, Ren Zhang and Bart Preneel

Abstract: This paper presents an efficient solution for the booking and payments functionality of a car sharing system that allows individuals to share their personal, underused cars in a completely decentralized manner, annulling the need of an intermediary. Our solution, named SC2Share, leverages smart contracts and uses them to carry out secure and private car booking and payments. Our experiments on SC2Share on the Ethereum testnet guarantee high security and privacy to its users and confirm that our system is cost-efficient and ready for practical use.

Short Papers
Paper Nr: 7
Title:

Probabilistic Modeling and Simulation of Vehicular Cyber Attacks: An Application of the Meta Attack Language

Authors:

Sotirios Katsikeas, Pontus Johnson, Simon Hacks and Robert Lagerström

Abstract: Attack simulations are a feasible means to assess the cyber security of systems. The simulations trace the steps taken by an attacker to compromise sensitive system assets. Moreover, they allow to estimate the time conducted by the intruder from the initial step to the compromise of assets of interest. One commonly accepted approach for such simulations are attack graphs, which model the attack steps and their dependencies in a formal way. To reduce the effort of creating new attack graphs for each system of a given type, domain-specific attack languages may be employed. They codify common attack logics of the considered domain. Consequently, they ease the reuse of models and, thus, facilitate the modeling of a specific system in the domain. Previously, MAL (the Meta Attack Language) was proposed, which serves as a framework to develop domain specific attack languages. In this article, we present vehicleLang, a Domain Specific Language (DSL) which can be used to model vehicles with respect to their IT infrastructure and to analyze their weaknesses related to known attacks. To model domain specifics in our language, we rely on existing literature and verify the language using an interview with a domain expert from the automotive industry. To evaluate our results, we perform a Systematic Literature Review (SLR) to identify possible attacks against vehicles. Those attacks serve as a blueprint for test cases checked against the vehicleLang specification.

Paper Nr: 9
Title:

Permission-based Risk Signals for App Behaviour Characterization in Android Apps

Authors:

Oluwafemi Olukoya, Lewis Mackenzie and Inah Omoronyia

Abstract: With the parallel growth of the Android operating system and mobile malware, one of the ways to stay protected from mobile malware is by observing the permissions requested. However, without careful consideration of these permissions, users run the risk of an installed app being malware, without any warning that might characterize its nature. We propose a permission-based risk signal using a taxonomy of sensitive permissions. Firstly, we analyse the risk of an app based on the permissions it requests, using a permission sensitivity index computed from a risky permission set. Secondly, we evaluate permission mismatch by checking what an app requires against what it requests. Thirdly, we evaluate security rules based on our metrics to evaluate corresponding risks. We evaluate these factors using datasets of benign and malicious apps (43580 apps) and our result demonstrates that the proposed framework can be used to improve risk signalling of Android apps with a 95% accuracy.

Paper Nr: 17
Title:

Locality-Sensitive Hashing for Efficient Web Application Security Testing

Authors:

Ilan Ben-Bassat and Erez Rokah

Abstract: Web application security has become a major concern in recent years, as more and more content and services are available online. A useful method for identifying security vulnerabilities is black-box testing, which relies on an automated crawling of web applications. However, crawling Rich Internet Applications (RIAs) is a very challenging task. One of the key obstacles crawlers face is the state similarity problem: how to determine if two client-side states are equivalent. As current methods do not completely solve this problem, a successful scan of many real-world RIAs is still not possible. We present a novel approach to detect redundant content for security testing purposes. The algorithm applies locality-sensitive hashing using MinHash sketches in order to analyze the Document Object Model (DOM) structure of web pages, and to efficiently estimate similarity between them. Our experimental results show that this approach allows a successful scan of RIAs that cannot be crawled otherwise.

Paper Nr: 18
Title:

Theorising on Information Cascades and Sequential Decision-making for Analysing Security Behaviour

Authors:

D. P. Snyman and H. A. Kruger

Abstract: Human behaviour is an ever-present aspect in information security and requires special attention when seeking to secure information systems. Information security behaviour is often based on an informed decision where information is obtained by previous experience and observation of the behaviour of others. In this research, the concept of sequential decision-making is contextualised in terms of information security behaviour. Information cascades, which are based on sequential decision-making, are theorised as a model to explain how decision-making (i.e. behaviour) takes place in terms of information security. A case study is presented to illustrate how behavioural threshold analysis can be employed as an instrument to evaluate the effect of information cascades and sequential decision-making on information security behaviour. The paper concludes by theorising on the applicability of the models and approaches that are presented in this research.

Paper Nr: 19
Title:

Security Analysis and Efficient Implementation of Code-based Signature Schemes

Authors:

Partha S. Roy, Kirill Morozov, Kazuhide Fukushima, Shinsaku Kiyomoto and Tsuyoshi Takagi

Abstract: In this paper, we derive code-based signature schemes using Fiat-Shamir transformation on code-based zero-knowledge identification schemes, namely the Stern scheme, the Jain-Krenn-Pietrzak-Tentes scheme, and the Cayrel-Veron-El Yousfi scheme. We analyze the security of these code-based signature schemes and derive the security parameters to achieve the 128-bit level security. Furthermore, we implement these signature schemes and compare their performance on a PC.

Paper Nr: 21
Title:

Robust Person Identification based on DTW Distance of Multiple-Joint Gait Pattern

Authors:

Takafumi Mori and Hiroaki Kikuchi

Abstract: Gait information can be used to identify and track persons. This work proposes a new gait identification method aggregating multiple features observed by a motion capture sensor and evaluates the robustness against obstacles in walking. The simplest gait identification is to use gait statistics, but these are not a significant feature with regard to identifying people accurately. Hence, in this work, we use the dynamic time warping (DTW) algorithm to calculate distances of gait sequences. DTW is a pattern-matching algorithm mainly used in speech recognition. It can compare two sets of time series data, even when they have different lengths. We also propose an optimal feature integration method for DTW distances. For evaluating the proposed method, we developed a prototype system and calculated the equal error rate (EER) using 31 subjects. As a result, we clarified that the EER of the proposed method is 0.036 for normal walking, and that it is robust to some obstacles in walking.

Paper Nr: 30
Title:

A Novel Behaviour Profiling Approach to Continuous Authentication for Mobile Applications

Authors:

Saud Alotaibi, Abdulrahman Alruban, Steven Furnell and Nathan Clarke

Abstract: The growth in smartphone usage has led to increased user concerns regarding privacy and security. Smartphones contain sensitive information, such as personal data, images, and emails, and can be used to perform various types of activity, such as transferring money via mobile Internet banking, making calls and sending emails. As a consequence, concerns regarding smartphone security have been expressed and there is a need to devise new solutions to enhance the security of mobile applications, especially after initial access to a mobile device. This paper presents a novel behavioural profiling approach to user identity verification as part of mobile application security. A study involving data collected from 76 users over a 1-month period was conducted, generating over 3 million actions based on users’ interactions with their smartphone. The study examines a novel user interaction approach based on supervised machine learning algorithms, thereby enabling a more reliable identity verification method. The experimental results show that users could be distinguished via their behavioural profiling upon each action within the application, with an average equal error rate of 26.98% and the gradient boosting classifier results prove quite compelling. Based on these findings, this approach is able to provide robust, continuous and transparent authentication.

Paper Nr: 33
Title:

Evaluating Security, Privacy and Usability Features of QR Code Readers

Authors:

Heider M. Wahsheh and Flaminia L. Luccio

Abstract: The widespread of smartphones with advanced capabilities has motivated developers to design new mobile applications that are used as barcode scanners. Although several barcode readers are available, they still have security and privacy limitations. In this paper, we first present a comprehensive and systematic review of barcode reader applications by analyzing their security, privacy and usability features. We categorize these apps into four groups depending on their properties: URLs security, Crypto-based security, Popular applications, and Save-privacy. We also highlight their weaknesses and present design recommendations for usable, secure and privacy-guaranteed scanner applications. Based on our recommendations, we have developed BarSec Driod a proof-of-concept secure barcode reader Android app that exploits some features of other applications and at the same time overcomes their limitations. We have performed a user usability and security survey, on BarSec Driod and two other popular QR code readers, KasperSky and QR Droid Private. The results show that BarSec Driod is easy to use, satisfies the expectations of the users and is secure. Moreover, we have observed that following the design tips, user’s security awareness and usability increase.

Paper Nr: 35
Title:

In-depth Feature Selection and Ranking for Automated Detection of Mobile Malware

Authors:

Alejandro Guerra-Manzanares, Sven Nõmm and Hayretdin Bahsi

Abstract: New malware detection techniques are highly needed due to the increasing threat posed by mobile malware. Machine learning techniques have provided promising results in this problem domain. However, feature selection, which is an essential instrument to overcome the curse of dimensionality, presenting higher interpretable results and optimizing the utilization of computational resources, requires more attention in order to induce better learning models for mobile malware detection. In this paper, in order to find out the minimum feature set that provides higher accuracy and analyze the discriminatory powers of different features, we employed feature selection and ranking methods to datasets characterized by system calls and permissions. These features were extracted from malware application samples belonging to two different time-frames (2010-2012 and 2017-2018) and benign applications. We demonstrated that selected feature sets with small sizes, in both feature categories, are able to provide high accuracy results. However, we identified a decline in the discriminatory power of the selected features in both categories when the dataset is induced by the recent malware samples instead of old ones, indicating a concept drift. Although we plan to model the concept drift in our future studies, the feature selection results presented in this study give a valuable insight regarding the change occurred in the best discriminating features during the evolvement of mobile malware over time.

Paper Nr: 37
Title:

Finding Classification Zone Violations with Anonymized Message Flow Analysis

Authors:

Michael Meinig, Peter Tröger and Christoph Meinel

Abstract: Modern information infrastructures and organizations increasingly face the problem of data breaches and cyber-attacks. A traditional method for dealing with this problem are classification zones, such as ‘top secret’, ‘confidential’, and ‘unclassified’, which regulate the access of persons, hardware, and software to data records. In this paper, we present an approach that finds classification zone violations through automated message flow analysis. Our approach considers the problem of anonymization for the source event logs, which makes the resulting data flow model sharable with experts and the public. We discuss practical implications from applying the approach to a large governmental organization data set and discuss how the anonymity of our concept can be formally validated.

Paper Nr: 41
Title:

Usability of Policy Authoring Tools: A Layered Approach

Authors:

Stephanie Weinhardt and Olamide Omolola

Abstract: Many policy authoring tools lack usability, and this deficiency often deters new users from using the tools. In this paper, we propose an approach to make policy authoring more usable and enable novice users to create policies. The process of creating a trust policy using a trust policy language has different levels of complexity for different users. This paper identifies three categories of such users and introduces a three-layered approach to cater to each user group. The approach intuitively reduces the functionalities available based on the capability of each group of users and therefore making policy creation more usable.

Paper Nr: 43
Title:

An Order-specified Aggregate Authority-transfer Signature

Authors:

Takuya Ezure and Masaki Inamura

Abstract: We propose an order-specified aggregate authority-transfer signature based on the gap Diffie-Hellman group. In various organizations, to reduce the number of approvals required by someone who has relevant authority, the authority for a task can be transferred to a subordinate or another person who executes the task. Currently, authority is commonly transferred via a document, such as an authority-transfer agreement. However, to speed up the process and maintain the integrity of the evidence, we believe that it is better to transfer such authority via a computer network. In this paper, we propose an authority-transfer signature scheme using an order-specified aggregate signature and a group signature, and we propose a new authority-transfer system. In the signature method, a group signature scheme is used to express authority. Moreover, it transfers the authority owned by the manager to another member of the group. The difference from the group manager of the group signature is that this manager not only manages the group but also delegates authority. With the order-specified aggregate signature, it is possible to handle multiple signatures efficiently while verifying the order. We show that a safe and efficient authority-transfer system can be constructed using this new digital signature.

Paper Nr: 44
Title:

Automated Incident Response for Industrial Control Systems Leveraging Software-defined Networking

Authors:

Florian Patzer, Ankush Meshram and Maximilian Heß

Abstract: Modern technologies and concepts for Industrial Control Systems (ICS) are evolving towards high flexibility of processes and respectively networks. Such dynamic networks are already functioning well, for example in data centres. This is enabled by application of the Software-defined Networking (SDN) paradigm. For this reason, ICS is currently adopting SDN. The concept of having a centralized view of the network and generating packet forwarding rules to control it enables performing automated responses to network events and classified incidents via SDN. This automation can provide timely and, due to the holistic view of the network, accurate incident response actions. However, availability, safety, real-time and redundancy requirements within the ICS domain restrict the application of such an automated approach. At present, SDN-based incident response (SDN-IR) does not take into consideration these requirements. In this work, we identify possible SND-based response actions to ICS incidents and introduce classification of assets and links. Furthermore, we present a concept for SDN-IR where a predefined rule set restricts the response actions based on the asset’s classification thereby satisfying ICS specific requirements. Subsequently, we describe and evaluate a prototype implementation of this concept, built with the open-source SDN platform OpenDaylight and the SDN protocol OpenFlow.

Paper Nr: 50
Title:

TED: A Container based Tool to Perform Security Risk Assessment for ELF Binaries

Authors:

Daniele Mucci and Bernhards Blumbergs

Abstract: Attacks against binaries, including novel hardware based attacks (e.g., Meltdown), are still very common, with hundreds of vulnerabilities discovered every year. This paper presents TED, an auditing tool which acts from the defense perspective and verifies whether proper defenses are in place for the GNU/Linux system and for each ELF binary in it. Unlike other solutions proposed, TED aims to integrate several tools and techniques by the use of software containers; this choice created the necessity to compare and analyze the most popular container platforms to determine the most suitable for this use case. The containerization approach allows to reduce complexity, gain flexibility and extensibility at the cost of a negligible performance loss, while significantly reducing the dependencies needed. Performance and functionality tests, both in lab and real-world environments, showed the feasibility of a container-based approach and the usefulness of TED in several use cases.

Paper Nr: 53
Title:

Evaluating Privacy Policy Summarization: An Experimental Study among Japanese Users

Authors:

Vanessa Bracamonte, Seira Hidano, Welderufael B. Tesfay and Shinsaku Kiyomoto

Abstract: Summarization and visualization applications can help users understand the content of privacy policies. However, research has focused on English language privacy policies and has not considered users who are not native English speakers nor the potential situation of encountering a privacy policy in a foreign language. In this paper, we contribute to the research on privacy policy summarization by conducting an experimental survey on Japanese users to assess their interest on using such an application, and the influence of this application on their perception. We conducted an experimental survey among Japanese participants, and evaluated their perception on different privacy policy languages (Japanese or English) and risk levels, using PrivacyGuide. We found that PrivacyGuide can increase interest in the contents of the privacy policy for both languages, and can communicate risk level for the English privacy policy. In addition, we found that respondents who indicated interest in using the application mentioned a wide variety of scenarios for its use, while respondents who answered negatively or were hesitant mentioned lack of trust and uncertainty about PrivacyGuide’s reputation and accuracy. We discuss these results and offer suggestions for improving adoption of privacy policy summarization tools like PrivacyGuide.

Paper Nr: 57
Title:

Towards Aligning GDPR Compliance with Software Development: A Research Agenda

Authors:

Meiko Jensen, Sahil Kapila and Nils Gruschka

Abstract: The General Data Protection Regulation (GDPR) caused several new legal requirements software systems in Europe have to comply to. Support for these requirements given by proprietary software systems is limited. Here, an integrative approach of combining software development with GDPR-specific demands is necessary. In this paper, we outline such an approach on the level of software source code. We illustrate how to annotate data in complex software systems and how to use such annotations for task like data visualization, data exchange standardization, and GDPR-specific consent and purpose management systems. Thereby, we outline a research agenda for subsequent efforts in aligning software development and GDPR requirements.

Paper Nr: 59
Title:

The Common Vulnerability Scoring System vs. Rock Star Vulnerabilities: Why the Discrepancy?

Authors:

Doudou Fall and Youki Kadobayashi

Abstract: Meltdown & Spectre came as natural disasters to the IT world with several doomsday scenarios being professed. Yet, when we turn to the de facto standard body for assessing the severity of a security vulnerability, the Common Vulnerability Scoring System (CVSS), we surprisingly notice that Meltdown & Spectre do not command the highest scores. We witness a similar situation for other rock star vulnerabilities (vulnerabilities that have received a lot of media attention) such as Heartbleed and KRACKs. In this manuscript, we investigate why the CVSS ‘fails’ at capturing the intrinsic characteristics of rock star vulnerabilities. We dissect the different elements of the CVSS (v2 and v3) to prove that there is nothing within it that can indicate why a particular vulnerability is a rock star. Further, we uncover a pattern that shows that, despite all the beautifully elaborated formulas, magic numbers and catch phrases of the CVSS, there is still a heavy presence human emotion into the scoring as rock star vulnerabilities that were exploited in the wild before being discovered tend to have a higher score than those that were discovered and responsibly disclosed by security researchers. We believe that this is the principal reason of the discrepancy between the scoring and the level of media attention as the majority of 'modern' high level vulnerabilities are introduced by security researchers.

Paper Nr: 62
Title:

Privacy Preservation of Social Network Users Against Attribute Inference Attacks via Malicious Data Mining

Authors:

Khondker J. Reza, Md Z. Islam and Vladimir Estivill-Castro

Abstract: Online social networks (OSNs) are currently a popular platform for social interactions among people. Usually, OSN users upload various contents including personal information on their profiles. The ability to infer users’ hidden information or information that has not been even uploaded (i.e. private/sensitive information) by an unauthorised agent is commonly known as attribute inference problem. In this paper, we propose 3LP+, a privacy-preserving technique, to protect users’ sensitive information leakage. We apply 3LP+ on a synthetically generated OSN data set and demonstrate the superiority of 3LP+ over an existing privacy-preserving technique.

Paper Nr: 71
Title:

Threat Modeling and Attack Simulations of Connected Vehicles: A Research Outlook

Authors:

Wenjun Xiong, Fredrik Krantz and Robert Lagerström

Abstract: Modern vehicles are dependent on software, and are often connected to the Internet or other external services, which makes them vulnerable to various attacks. To improve security for Internet facing systems, holistic threat modeling is becoming a common way to proactively make decisions and design for security. One approach that has not been commonly implemented is to enhance the threat models with probabilistic attack simulations. That is, incorporating security intelligence, attack types, vulnerabilities, and countermeasures to get objective security metrics and risk assessments. This combination has been shown efficient in other disciplines, e.g. energy and banking. However, it has so far been fairly unexplored in the vehicle domain. This position paper reviews previous research in the field, and implements a vehicle threat model using a tool called securiCAD, based on which future research requirements for connected vehicle attack simulations are also derived. The main findings are: 1) not much work has been done in the combined area of connected vehicles and threat modeling with attack simulations, 2) initial tests show that the approach is useful, 3) more research in vehicle specific attacks and countermeasures is needed in order to provide more accurate simulation results, and 4) a more tailored metamodel is needed for the vehicle domain.

Paper Nr: 72
Title:

An Image Forgery Detection Solution based on DCT Coefficient Analysis

Authors:

Hoai P. Nguyen, Florent Retraint, Frédéric Morain-Nicolier and Agnès Delahaies

Abstract: JPEG compression and double JPEG compression introduces systematically some particular characteristics in the Discrete Cosine Transform (DCT) domain. In this paper, we propose a description of these characteristics. We also describe how to exploit these characteristics to introduce a new and efficient solution for estimating the quantization steps used in the first compression of a double-compressed image. We also introduce a method for detecting forgery in compressed images. Rapid, having a simple implementation and there is no need for training to be functional, the proposed solution gives, however, a performance auspicious. Its performance is demonstrated on simulated images and images retrieved from several public databases.

Paper Nr: 75
Title:

Smart-card Deployment of an Electronic Voting Protocol

Authors:

Hervé Chabanne, Emmanuelle Dottax and Franck Rondepierre

Abstract: We present a solution to securely deploy e-voting protocols on the field, thanks to smart-cards. Voters credentials are securely stored on the cards, and the access is restricted by Match-on-Card biometrics. Interestingly, the biometrics verification is made against a list of eligible voters, which allows to restrict the number of cards to one per voting booth. In contrast with previous e-voting solutions requiring a secure element per voter, this constitutes an affordable solution. As an example, we describe how the voting scheme Belenios can be implemented. We show that the resulting scheme gains receipt-freeness, and we give an implementation report that shows the practicability of our solution.

Paper Nr: 76
Title:

Practical Solutions to Save Bitcoins Applied to an Identity System Proposal

Authors:

Daniel Augot, Hervé Chabanne and William George

Abstract: In a recent work by Augot et al. (2017), a scheme is proposed to build an identity system on top of the Bitcoin network. However, this proposal incurs very high costs since Bitcoin transactions require heavy fees. The current work introduces modifications to their scheme to make it more cost efficient while preserving its potential. Namely, we build on features of Bitcoin’s scripting language, which allows swapping coins between two compatible blockchains, and also on off-chain transactions.

Paper Nr: 77
Title:

Attack and Defence Modelling for Attacks via the Speech Interface

Authors:

Mary K. Bispham, Ioannis Agrafiotis and Michael Goldsmith

Abstract: This paper presents a high-level model of attacks via a speech interface, and of defences against such attacks. Specifically, the paper provides a summary of different types of attacks, and of the defences available to counter them, within the framework of the OODA loop model. The model facilitates an inclusive conceptualisation of attacks via the speech interface, and serves as a basis for critical analysis of the currently available defence measures.

Paper Nr: 78
Title:

The Curious Case of Machine Learning in Malware Detection

Authors:

Sherif Saad, William Briguglio and Haytham Elmiligi

Abstract: In this paper, we argue that detecting malware attacks in the wild is a unique challenge for machine learning techniques. Given the current trend in malware development and the increase of unconventional malware attacks, we expect that dynamic malware analysis is the future for antimalware detection and prevention systems. A comprehensive review of machine learning for malware detection is presented. Then, we discuss how malware detection in the wild present unique challenges for the current state-of-the-art machine learning techniques. We defined three critical problems that limit the success of malware detectors powered by machine learning in the wild. Next, we discuss possible solutions to these challenges and present the requirements of next-generation malware detection. Finally, we outline potential research directions in machine learning for malware detection.

Paper Nr: 91
Title:

Survey and Lessons Learned on Raising SME Awareness about Cybersecurity

Authors:

Christophe Ponsard, Jeremy Grandclaudon and Sébastien Bal

Abstract: Small and Medium Enterprises, like most companies, have become highly dependent on digital technology for running their business. Such companies are also increasingly targeted by cyberattacks while their level of protection, capability of reaction and recovery are low. The initial step to take them along the path of increasing their level of cybersecurity and resilience is to raise awareness. Achieving this step successfully is not an easy task and requires dealing mainly with human factors. This paper surveys a number of approaches and reports about our own experience with an cybersecurity awareness program targeting Belgian SMEs. Based on this, we propose some lessons learned and guidelines.

Paper Nr: 94
Title:

Tracking Data Trajectories in IoT

Authors:

Chiara Bodei and Letterio Galletta

Abstract: The Internet of Things (IoT) devices access and process large amounts of data. Some of them are sensitive and can become a target for security attacks. As a consequence, it is crucial being able to trace data and to identify their paths. We start from the specification language IoT-LySa, and propose a Control Flow Analysis for statically predicting possible trajectories of data communicated in an IoT system and, consequently, for checking whether sensitive data can pass through possibly dangerous nodes. Paths are also interesting from an architectural point of view for deciding which are the points where data are collected, processed, communicated and stored and which are the suitable security mechanisms for guaranteeing a reliable transport from the raw data collected by the sensors to the aggregation nodes and to servers that decide actuations.

Paper Nr: 95
Title:

SMMDecoy: Detecting GPU Keyloggers using Security by Deception Techniques

Authors:

Ijlal Loutfi

Abstract: Human computer interaction is a fundamental part of the modern computing experience. Everyday, millions of users rely on keyboards as their primary input interface, and use them to enter security sensitive information such authentication credentials. These can be passwords, but also multi-authentication factors received from other devices, such as One Time Passwords and SMS’s. Therefore, the security of the keyboard interface is critical. Unfortunately, both PS/2 and USB keyboards have open buffers which are vulnerable to sniffing by keyloggers. This paper focuses on the detection of the stealthiest variance of keyloggers, which is deployed within IO devices firmware, such as GPUs. We propose to use principles of security by deception: We inject decoy credentials into the open keyboard buffers, and give GPU keyloggers the opportunity to sniff them. These decoy credentials are then sent to a remote server that can raise an alarm anytime an attacker uses them. We assume a strong adversary that can infect both the GPU and the kernel. Therefore, we propose to deploy the solution within System Management Mode, and leverage Intel Software Guard Extensions for network communication. Both SMM and SGX are hardware protected against the OS and DMA, and provide thus strong security guarantees to our solution, which we name SMMDecoy.

Paper Nr: 96
Title:

A Fine-grained General Purpose Secure Storage Facility for Trusted Execution Environment

Authors:

Luigi Catuogno and Clemente Galdi

Abstract: In this paper we address the problem of enforcing data access control over the storage area of a mobile device running different and independent third party applications. To this end, we present the design of a general purpose secure file system that allows to guarantee file-grained data confidentiality at OS level. Data encryption, key management and policy enforcement are based on Trusted Execution Environment (TEE) facilities. We describe a prototype implementation and discuss preliminary performance results.

Paper Nr: 97
Title:

Sender Authentication for Automotive In-Vehicle Networks through Dual Analog Measurements to Determine the Location of the Transmitter

Authors:

Carlos Moreno and Sebastian Fischmeister

Abstract: Controller Area Network (CAN) is a fundamentally insecure communications bus. Its intrinsic lack of sender authentication makes impersonation attacks a severe threat to the security of systems that rely on CAN for communication between devices. In this paper, we propose a novel technique to enforce sender authenticity on a CAN bus. The technique is reliable, robust, and reasonably easy and inexpensive to implement, as it relies on non-clonable physical characteristics of the transmitted signals. In particular, we measure the analog signal at two different locations on the CAN bus physical wire; the signal corresponding to the transmitted message travels through the wire at a certain speed, which allows us to determine the physical location (i.e., position along the wire) of the transmitter as a function of the relative delay between the two analog measurements. Our work includes an experimental evaluation on an actual vehicle, with results that suggest that the technique is effective and practical.

Paper Nr: 99
Title:

Flexible Access Control and Confidentiality over Encrypted Data for Document-based Database

Authors:

Maryam Almarwani, Boris Konev and Alexei Lisitsa

Abstract: In this paper, we present a SDDB scheme regarding document-based store that satisfies three security requirements: confidentiality, flexible access control, and querying over encrypted data. The scheme is inspired by PIRATTE and CryptDB concepts. PIRATTE is a proxy for sharing encrypted files through a social network between the data owner and the number of users and the files are decrypted on user side with the proxy key, whereas in CryptDB, it is proxy between a database and one user to encrypt or decrypt data based on user’s queries. The scheme also improves CryptDB security and provides the possibility of sharing data with multi-users through PIRATTE concept which is used to verify authentication on the proxy side.

Paper Nr: 100
Title:

Vulnerabilities in IoT Devices for Smart Home Environment

Authors:

Luís Costa, João P. Barros and Miguel Tavares

Abstract: Recently, consumers have seen multiple products being advertised as smart home. These products promise to make our homes more comfortable, safe, automated, and remotely controlled. To this new reality of processing information it was given the name IoT (Internet of Things). Many news headlines have been published exposing serious security vulnerabilities in many IoT devices, with some of them being exploited to make one of the largest DDoS attacks recorded. In this paper we present a method developed with the purpose of identifying high risk vulnerabilities in smart home IoT devices, giving application examples of actual vulnerabilities found in two commercially available devices. This method uses several open source tools to identify vulnerabilities in some of these IoT devices. Besides, we will also present some topics related to the main threats and vulnerabilities that affect smart home IoT devices.

Paper Nr: 24
Title:

Predicting CyberSecurity Incidents using Machine Learning Algorithms: A Case Study of Korean SMEs

Authors:

Alaa Mohasseb, Benjamin Aziz, Jeyong Jung and Julak Lee

Abstract: The increasing amount and complexity of cyber security attacks in recent years have made text analysis and data-mining based techniques an important factor in detecting security threats. However, despite the popularity of text and other data mining techniques, the cyber security community has remained somehow reluctant in adopting an open approach to security-related data. In this paper, we analyze a dataset that has been collected from five Small and Medium companies in South Korea, this dataset represents cyber security incidents and response actions. We investigate how the data representing different incidents collected from multiple companies can help improve the classification accuracy and help the classifiers in distinguishing between different types of incidents. A model has been developed using text mining methods, such as n-gram, bag-of-words and machine learning algorithms for the classification of incidents and their response actions. Experimental results have demonstrated good performance of the classifiers for the prediction of different types of response and malware.

Paper Nr: 29
Title:

Accelerate Performance for Elliptic Curve Scalar Multiplication based on NAF by Parallel Computing

Authors:

Mohammad Anagreh, Eero Vainikko and Peeter Laud

Abstract: The aim of Elliptic Curve Cryptosystems (ECC) is to achieve the same security level as RSA but with shorter key size. The basic operation in the ECC is scalar multiplication which is an expensive operation. In this paper, we focus on optimizing ECC scalar multiplication based on Non-Adjacent Form (NAF). A new algorithm is introduced that combines an Add-Subtract Scalar Multiplication Algorithm with NAF representation to accelerate the performance of the ECC calculation. Parallelizing the new algorithm shows an efficient method to calculate ECC. The proposed method has speed up the calculation up to 60% compared with the standard method.

Paper Nr: 31
Title:

Phishing Email Detection based on Named Entity Recognition

Authors:

Vít Listík, Šimon Let, Jan Šedivý and Václav Hlaváč

Abstract: This work evaluates two phishing detection algorithms, which are both based on named entity recognition (NER), on live traffic of Email.cz. The first algorithm was proposed in (Ramanathan and Wechsler, 2013). It is using NER and latent Dirichlet allocation (LDA) as feature extractors for random forest classifier. This algorithm achieved 100% F-measure on the publicly available testing dataset. We are using this algorithm as the baseline for our newly proposed solution. The newly proposed solution is using companies detected by the NER and it is comparing URLs present in the email content to the company URL profile (based on history). The company URL profile contains domains which are frequently mentioned in legitimate traffic from that domain. The advantage of the proposed solution is that it does not need phishing dataset, which is hard to get, especially for languages other than English. Our solution outperforms the baseline solution. Both solutions are able to detect previously undetected phishing attacks. Combination of the solutions achieves 100 % F-measure on the portion of live traffic.

Paper Nr: 32
Title:

Maia: A Language for Mandatory Integrity Controls of Structured Data

Authors:

Wassnaa Al-Mawee, Paul J. Bonamy, Steve Carr and Jean Mayo

Abstract: The integrity of systems files is necessary for the secure functioning of an operating system. Integrity is not generally discussed in terms of complete computer systems. Instead, integrity issues tend to be either tightly coupled to a particular domain (e.g. database constraints), or else so broad as to be useless except after the fact (e.g. backups). Often, file integrity is determined by who modifies the file or by a checksum. This paper focuses on a general model of the internal integrity of a file. Even if a file is modified by a subject with trust or has a valid checksum, it may not meet the specification of a valid file. An example would be a password file with no user assigned a user id of 0. In this paper, we describe a language called Maia that provides a means to specify what the contents of a valid file should be. Maia can be used to specify the format and valid properties of system configuration files, PNG files and others. We give a structural operational semantics of Maia and discuss an initial implementation within a mandatory integrity system.

Paper Nr: 40
Title:

Definition and Efficient Construction of Encrypted k–anonymization Scheme

Authors:

Masayuki Yoshino, Takayuki Suzuki, Ken Naganuma and Hisayoshi Sato

Abstract: In this paper, we propose an encrypted k–anonymization scheme (EAS) to k–anonymize an encrypted database using a domain generalized hierarchy while maintaining the encryption state. Preparation of the domain generalized hierarchy is optional; the proposed EAS can generate domain generalized hierarchies using a Huffman code tree from a database encrypted with searchable encryption. As a result, the user can delegate k–anonymization processing to a third party organization such as the cloud while retaining the confidentiality of the database without preparing a generalized hierarchy. In addition, third-party organizations that are entrusted also have the advantage to eliminate possible of misconduct such as information leakage. In a standard computer experiment, we performed a generalization process, which is the major procedure for our EAS. The generalization process takes around 168 seconds only to achieve k–anonymity with k = 3 on 1,000,000 records consisting of 4 attributes. As a consequence, this high-speed performance means our EAS is applicable to not only batch processing but also real-time processing.

Paper Nr: 45
Title:

Improved Forensic Recovery of PKZIP Stream Cipher Passwords

Authors:

Sein Coray, Iwen Coisel and Ignacio Sanchez

Abstract: Data archives are often compressed following the PKZIP format and can optionally be encrypted with either the PKZIP stream cipher or the AES block cipher. In this article, we present new implementations of two attacks against the PKZIP stream cipher. To our knowledge, this is the first time those attacks have been demonstrated on Graphical Processing Unit (GPU). Our first implementation is retrieving archive passwords using the internal state of the PKZIP stream cipher obtained through the known-plaintext attack of Biham and Kocher. Passwords up to length 14 can be recovered within a month considering a single Nvidia 1080 Ti GPU. If one hundred of those cards are available, passwords up to length 15 would be recovered in less than 27 days. The second implementation is a more direct attack designed to retrieve an archive’s password without requiring any additional knowledge than the ciphertext. Experimental results show that our two implementations are at least ten times faster than the state of the art. This is an undeniable asset for investigators who may be particularly interested in further deepening their forensic analysis on an encrypted archive.

Paper Nr: 46
Title:

Detecting Anomalies by using Self-Organizing Maps in Industrial Environments

Authors:

Ricardo Hormann and Eric Fischer

Abstract: Detecting anomalies caused by intruders are a big challenge in industrial environments due to the complex environmental interdependencies and proprietary fieldbus protocols. In this paper, we proposed a network-based method for detecting anomalies by using unsupervised artificial neural networks called Self-Organizing Maps (SOMs). Therefore, we published an algorithm which identifies clusters and cluster centroids in SOMs to gain knowledge about the underlying data structure. In the training phase we created two neural networks, one for clustering the network data and the other one for finding the cluster centroids. In the operating phase our approach is able to detect anomalies by comparing new data samples with the first trained SOM model. We used a confidence interval to decide if the sample is too far from its best matching unit. A novel additional confidence interval for the second SOM is proposed to minimize false positives which have been a major drawback of machine learning methods in anomaly detection. We implemented our approach in a robot cell and infiltrated the network like an intruder would do to evaluate our method. As a result, we significantly reduced the false positive rate to 0.07% using the second interval while providing an accuracy of 99% for the detection of network attacks.

Paper Nr: 48
Title:

AuthLedger: A Novel Blockchain-based Domain Name Authentication Scheme

Authors:

Zhi Guan, Abba Garba, Anran Li, Zhong Chen and Nesrine Kaaniche

Abstract: Nowadays public key infrastructure authentication mainly rely on certificate authorities and have to be trusted by both domain operators and domain owners. Domain Name System Security Extensions (DNSSEC) using DNS-based Authentication Name Entities (DANE) DNS records types, offer additional security for authenticating data and integrity to domain name system (DNS). This method allow client via signed statements to specify which CAs are authorized to represent certificate of a domain. Another method is Certificate Authority Authorizations (CAA) developed by Internet Engineering Task Force (IETF) to provide security guarantee against rogue certificate authorities that offer fake certificate for the domain. However, all of these approaches are prone to single point of failure due to their trust attached to infrastructure like Internet Corporation for Assigned Names and Numbers (ICANN). In order to weaken the level of trust to the CAs over certificates, it is necessary to balance the distribution rights among the entities and improve the control of certificate issuance for the certificate owners. Recently with the emergence of Blockchain, a public and distributed ledger, several applications appeared taking advantage of this powerful technology. In this paper, we present an AuthLedger a domain authentication scheme based on blockchain technology. The proposed scheme is multi-fold. First, we proposed a domain authentication scheme to reduce the level of trust in CAs. second, we implement our system using Ethereum smart contract. Third, we evaluate security and performance of the proposed system.

Paper Nr: 49
Title:

Mathematical Model to Estimate Loss by Cyber Incident in Japan

Authors:

Michihiro Yamada, Hiroaki Kikuchi, Naoki Matsuyama and Koji Inui

Abstract: There is a great demand from the viewpoint of security insurance to calculate the value of damage due to leakage of personal information. The Japan Network Security Association(JNSA) proposed a model to calculate the damage compensation amount. However, the coefficient was determined by experts’ subjective evaluations for which there is no basis. We propose a new mathematical model by applying multiple regression using cyber incident records and information such as enterprise size as explanatory variables and the value of extraordinary losses to a company as a target variable. We apply the damage model to 15,000 cyber incidents, compare the two models’ loss amounts, and consider the relationship between them.

Paper Nr: 54
Title:

Methodology of a Network Simulation in the Context of an Evaluation: Application to an IDS

Authors:

Pierre-Marie Bajan, Christophe Kiennert and Herve Debar

Abstract: This paper presents a methodology for the evaluation of network services security and the security of protection products. This type of evaluation is an important activity, considering the ever-increasing number of security incidents in networks. Those evaluations can present different challenges with a variety of properties to verify and an even larger number of tools available to compose and orchestrate together. The chosen approach in the paper is to simulate scenarios to perform traffic generation containing both benign and malicious actions against services and security products, that can be used separately or conjointly in attack simulations. We use our recently proposed method to generate evaluation data. This methodology highlights the preparation efforts from the evaluator to choose an appropriate data generating function and make topology choices. The paper presents the case and discusses the experimental results of an evaluation of a network-based IDS, with only benign traffic, only malicious traffic, and mixed traffic.

Paper Nr: 58
Title:

A Novel Features Set for Internet Traffic Classification using Burstiness

Authors:

Hussein Oudah, Bogdan Ghita and Taimur Bakhshi

Abstract: Traffic classification is an essential tool for network management and security. Traditional techniques such as port-based and payload analysis are ineffective as major Internet applications use dynamic port numbers and encryption. Recent studies have used statistical properties of flows to classify traffic with high accuracy, minimising the overhead limitations associated with other schemes such as deep packet inspection (DPI). Classification accuracy of statistical flow-based approaches, however, depends on the discrimination ability of the traffic features used. To this effect, the present paper customised the popular tcptrace utility to generate classification features based on traffic burstiness and periods of inactivity (idle time) for everyday Internet usage. An attempt was made to train a C5.0 decision tree classifier using the proposed features for eleven different Internet applications, generated by ten users. Overall, the newly proposed features reported a significant level of accuracy (~98%) in classifying the respective applications.

Paper Nr: 63
Title:

Enhancing Business Process Modelling with Data Protection Compliance: An Ontology-based Proposal

Authors:

Cesare Bartolini, Antonello Calabró and Eda Marchetti

Abstract: The research and industrial environments are struggling to identify practical approaches to highlight the (new) duties of controllers of personal data and foster the transition of IT-based systems, services, and tools to comply with the GDPR. In this paper, we present a solution for enhancing the modelling of business processes with facilities to help evaluate the compliance with the GDPR. The proposal is based on a model describing the constituents of the data protection domain: a structured form of the legal text, an ontology of data protection concepts, and a machine-readable translation of the GDPR provisions. An example of application is also provided.

Paper Nr: 64
Title:

Towards Automated Comprehensive Feature Engineering for Spam Detection

Authors:

Fred N. Kiwanuka, Ja’far Alqatawna, Anang M. Amin, Sujni Paul and Hossam Faris

Abstract: Everyday billions of emails are passed or processed through online servers of which about 59% is spam according to a recent research. Spam emails have increasingly contained viruses or other harmful malware and are a security risk to computer systems. The importance of spam filtering and the security of computer systems has become more essential than ever. The rate of evolution of spam nowadays is so high and hence previously successful spam detection methods are failing to cope. In this paper, we propose a comprehensive and automated feature engineering framework for spam classification. The proposed framework enables first, the development of a large number of features from any email corpus, and second extracting automated features using feature transformation and aggregation primitives. We show that the performance of classification of spam improves between 2% to 28% for almost all conventional machine learning classifiers when using automated feature engineering. As a by product of our comprehensive automated feature engineering, we develop a Python-based open source tool, which incorporates the proposed framework.

Paper Nr: 66
Title:

Identification and Extraction of Digital Forensic Evidence from Multimedia Data Sources using Multi-algorithmic Fusion

Authors:

Shahlaa Mashhadani, Nathan Clarke and F. Li

Abstract: With the enormous increase in the use and volume of photographs and videos, multimedia-based digital evidence has come to play an increasingly fundamental role in criminal investigations. However, given the increase in the volume of multimedia data, it is becoming time-consuming and costly for investigators to analyse the images manually. Therefore, a need exists for image analysis and retrieval techniques that are able to process, analyse and retrieve images efficiently and effectively. Outside of forensics, image annotation systems have become increasingly popular for a variety of purposes and major software/IT companies, such as Amazon, Microsoft and Google all have cloud-based image annotation systems. The paper presents a series of experiments that evaluate commercial annotation systems to determine their accuracy and ability to comprehensively annotate images within a forensic image analysis context (rather than simply single object imagery, which is typically the case). The paper further proposes and demonstrates the value of utilizing a multi-algorithmic approach via fusion to achieve the best results. The results of these experiments show that by existing systems the highest Average Recall was achieved by imagga with 53%, whilst the proposed multi-algorithmic system achieved 77% across the selected datasets. These results demonstrate the benefit of using a multi-algorithmic approach.

Paper Nr: 67
Title:

Monotonic and Non-monotonic Context Delegation

Authors:

Mouiad Al-Wahah and Csilla Farkas

Abstract: Delegating access privileges is a common practice of access control mechanisms. Delegation is usually used for distributing responsibilities of task management among entities. Delegation comes in two forms, GRANT and TRANSFER. In GRANT delegation, a successful delegation operation allows delegated privileges to be available to both the delegator and delegatee. In TRANSFER delegation, delegated privileges are no longer available to the delegator. Although several delegation approaches have been proposed, current models do not consider the issue of context delegation in context-based access control policies. We present two ontology-based context delegation approaches. Monotonic context delegation, which adopts GRANT version of delegation, and non-monotonic for TRANSFER version of delegation. The approach presented here provides a dynamic and adaptive privilege delegation for access control policies. We employ Description logic (DL) and Logic Programming (LP) technologies for modeling contexts, delegation and CBAC privileges. We have designed three lightweight Web Ontology Language (OWL) ontologies, CTX, CBAC, and DEL, for context, Context-Based Access Control (CBAC), and delegation, respectively. We show that semantic-based techniques can be used to support adaptive and dynamic context delegation for CBAC policies. We provide the formal framework of the approaches and show that they are sound, consistent and preserve least-privilege principle.

Paper Nr: 68
Title:

Probabilistic Graphical Model on Detecting Insiders: Modeling with SGD-HMM

Authors:

Ahmed Saaudi, Yan Tong and Csilla Farkas

Abstract: This paper presents a novel approach to detect malicious behaviors in computer systems. We propose the use of varying granularity levels to represent users’ log data: Session-based, Day-based, and Week-based. A user’s normal behavior is modeled using a Hidden Markov Model. The model is used to detect any deviation from the normal behavior. We also propose a Sliding Window Technique to identify malicious activity effectively by considering the near history of user activity. We evaluated our results using Receiver Operating Characteristic curves (or ROC curves). Our evaluation shows that the results are superior to existing research by improving the detection ability and reducing the false positive rate. Combining sliding window technique with session-based system gives a fast detection performance.

Paper Nr: 69
Title:

Towards Automated Characterization of Malware’s High-level Mechanism using Virtual Machine Introspection

Authors:

Shun Yonamine, Youki Kadobayashi, Daisuke Miyamoto and Yuzo Taenaka

Abstract: One of the goals of malware analysis is to figure out the intention of an attacker, namely high-level mechanism. Since malicious activities are typically performed by combining multiple APIs, to identify the malicious intention, it is needed to inspect the series of APIs to analyze its semantics. In traditional malware analysis, this task generally relies on manual efforts of experts. There is no methodology for associating multiple APIs and identifying the malicious intention in an automated manner. In this paper, we propose a virtual machine introspection-based method for automatically identifying high-level mechanisms. We developed Spaniel, a prototype system, which uses taint analysis to track malicious processing that derives from the data read from a specified file and collects the traces of malicious activities. For evaluation, we used adversary behavior models defined in ATT&CK and Spaniel identified key indicators that cover 26% of those models.

Paper Nr: 73
Title:

The HERMENEUT Project: Enterprises Intangible Risk Management via Economic Models based on Simulation of Modern Cyber Attacks

Authors:

Enrico Frumento and Carlo Dambra

Abstract: This paper presents the funding principles of the HERMENEUT H2020 EU project (www.hermeneut.eu), whose objective is to assess cyber-risk and valuing consequences on both tangible and intangible assets. HERMENEUT innovates with a unique cyber-security cost-benefit analysis approach that combines current attack trends, integrated assessment of vulnerabilities and likelihoods of cyber-attacks with an innovative macro- and microeconomic model of intangible costs, to deliver risk estimations for individual organisations, sectors and the economy. It then suggests options to both apportion cyber-security budget on multiple mitigations and transfer non-tolerable residual risks to cyber-insurance. HERMENEUT also provides a decision support tool to stakeholders and validates it in two industries belonging to two sectors increasingly under cyber-attack: health-care and an Intellectual Property-intensive sector. The HERMENEUT project is now in its second year of life, heading to the proof of the theoretical funding assumptions in the field-tests.

Paper Nr: 79
Title:

Malicious DNS Traffic in Tor: Analysis and Countermeasures

Authors:

Michael Sonntag

Abstract: Anonymization is commonly seen as useful only for people that have something to hide. Tor exit nodes are therefore associated with malicious behaviour and especially the so-called “darknet”. While the Tor network supports hidden services, and a large share of these serve illegal purposes, most of the traffic in the Tor network exits to the normal Internet and could be, and probably is, legal. We investigate this by taking a look at the DNS requests of a high-bandwidth exit node. We observe some malicious behaviour (especially DNS scans), questionable targets (both widely seen as immoral as well as very likely illegal in most countries), and careless usage. However, all these, while undoubtable undesirable, make up only a small share of the exit traffic. We then propose some additions to reduce the detected malicious use.

Paper Nr: 89
Title:

Machine Learning for All: A More Robust Federated Learning Framework

Authors:

Chamatidis Ilias and Spathoulas Georgios

Abstract: Machine learning and especially deep learning are appropriate for solving multiple problems in various domains. Training such models though, demands significant processing power and requires large data-sets. Federated learning is an approach that merely solves these problems, as multiple users constitute a distributed network and each one of them trains a model locally with his data. This network can cumulatively sum up significant processing power to conduct training efficiently, while it is easier to preserve privacy, as data does not leave its owner. Nevertheless, it has been proven that federated learning also faces privacy and integrity issues. In this paper a general enhanced federated learning framework is presented. Users may provide data or the required processing power or participate just in order to train their models. Homomorphic encryption algorithms are employed to enable model training on encrypted data. Blockchain technology is used as smart contracts coordinate the work-flow and the commitments made between all participating nodes, while at the same time, tokens exchanges between nodes provide the required incentives for users to participate in the scheme and to act legitimately.

Paper Nr: 90
Title:

Construction of Secure Internal Networks with Communication Classifying System

Authors:

Yuya Sato, Hirokazu Hasegawa and Hiroki Takakura

Abstract: Recent sophistication of cyber attacks makes us difficult to protect our networks completely. Because dedicated malwares that targeted cyber attacks use may slip through traditional countermeasures like firewalls or intrusion detection systems. Separated network (e.g., separating network into several segments and controlling access among sub-networks.) is one of effective countermeasure against targeted attacks. In order to support constructing separated networks, we have proposed automated ACL generation system previously. However, the system may overly permit communication because it focuses on business continuity. In this paper, we propose a Communication Classifying System for constructing secure internal networks. When a communication occurs in a section previous system permitted, the proposed system analyzes it. The system evaluates consistency of communication by comparing communication and reason that previous system permitted such communication. If a communication which lacks consistency is detected, the system additionally analyzes it. In this additional analysis, the system checks states of destination terminals. If a destination terminal is listening port for protocol of occurred communication, the system judges such communication is proper. By using the result classification, we can prohibit the communication section that previous system overly permitted.

Paper Nr: 93
Title:

A Secure Framework with Remote Configuration of Intellectual Property

Authors:

Nadir Khan, Sven Nitzsche and Jürgen Becker

Abstract: In this work, an intellectual property (IP) licensing framework is proposed that is secure against IP theft (cloning and redistribution). This security is provided by utilizing built-in features of modern field programmable gate arrays (FPGAs), e.g. secure boot, state-of-the-art cryptography and trusted execution environments (TEE). The scheme is also the least restrictive in comparison to other publications in this area. Using this scheme, multiple IP core vendors (CVs) can configure their IPs remotely by connecting directly to an FPGA. Devices are booted securely using an authenticated and encrypted boot loader that initiates an authenticated and encrypted hypervisor, which in turn provides a TEE by partitioning the system resources into secure and non-secure sections. At this stage, a secure operating system (OS) is loaded that handles all the security critical functions such as communication with CVs, storage and analysis of bitstreams, enforcement of license constraints and configuration of IPs. Then, a second, non-secure OS is loaded, which provides an isolated execution environment with unrestricted access to non-secure resources. Hence, they are not limited to predefined APIs. Both OSes can interact via the hypervisor. The implementation of this framework is a work-in-progress and results presented within this paper are subject to change.

Paper Nr: 102
Title:

Location Privacy Assured Internet of Things

Authors:

Ismail Butun and Mikael Gidlund

Abstract: Internet of Things (IoT) is in the booming age of its growth, therefore a vast amount of applications, projects, hardware/software solutions, and customized concepts are being developed. The proliferation of IoT will enable location-based services to be available everywhere for everyone, and this will raise a large number of privacy issues related to the collection, usage, retention, and disclosure of the user’s location information. In order to provide a solution to this unique problem of IoT, this paper proposes Location Privacy Assured Internet of Things (LPA-IoT) scheme, which uses the concepts of Mix-Zone, location-obfuscation along with context-awareness. To the authors’ best knowledge, the proposed LPA-IoT scheme is the first location-based privacy-preserving scheme for IoT that provides flexible privacy levels associated with the present context of the user.