ICISSP 2021 Abstracts


Full Papers
Paper Nr: 6
Title:

Who Stores the Private Key? An Exploratory Study about User Preferences of Key Management for Blockchain-based Applications

Authors:

Clemens Brunner, Günther Eibl, Peter Fröhlich, Andreas Sackl and Dominik Engel

Abstract: Applications based on blockchain technology have become popular. While these applications have clear benefits, users are not yet familiar with their usage, which could hinder further applications of this technology. In this paper, an online survey with 110 potential users, as a representative of an average citizen, was conducted. The focus of this survey is to explore their preferences concerning the interaction with blockchain-based applications by mainly focusing on how to handle private keys. To best of our knowledge this is the first study where average citizens are asked about the preferred management of a private key, which is necessary when interacting with blockchain-based applications. One of the main results was that about 80% of the participants would like to have the benefit of data sovereignty despite the cost of being fully responsible to backup their credentials.

Paper Nr: 16
Title:

Utilizing Keystroke Dynamics as Additional Security Measure to Protect Account Recovery Mechanism

Authors:

Ahmed A. Wahab, Daqing Hou, Stephanie Schuckers and Abbie Barbir

Abstract: Account recovery is ubiquitous across web applications but circumvents the username/password-based login step. Therefore, it deserves the same level of security as the user authentication process. A common simplistic procedure for account recovery requires that a user enters the same email used during registration, to which a password recovery link or a new username could be sent. Therefore, an impostor with access to a user’s registration email and other credentials can trigger an account recovery session to take over the user’s account. To prevent such attacks, beyond validating the email and other credentials entered by the user, our proposed recovery method utilizes keystroke dynamics to further secure the account recovery mechanism. Keystroke dynamics is a type of behavioral biometrics that uses the analysis of typing rhythm for user authentication. Using a new dataset with over 500,000 keystrokes collected from 44 students and university staff when they fill out an account recovery web form of multiple fields, we have evaluated the performance of five scoring algorithms on individual fields as well as feature-level fusion and weighted-score fusion. We achieve the best EER of 5.47% when keystroke dynamics from individual fields are used, 0% for a feature-level fusion of five fields, and 0% for a weighted-score fusion of seven fields. Our work represents a new kind of keystroke dynamics that we would like to call it ‘medium fixed-text’ as it sits between the conventional (short) fixed text and (long) free text research.

Paper Nr: 22
Title:

On Security Analysis of Periodic Systems: Expressiveness and Complexity

Authors:

Musab A. Alturki, Tajana B. Kirigin, Max Kanovich, Vivek Nigam, Andre Scedrov and Carolyn Talcott

Abstract: Development of automated technological systems has seen the increase in interconnectivity among its components. This includes Internet of Things (IoT) and Industry 4.0 (I4.0) and the underlying communication between sensors and controllers. This paper is a step toward a formal framework for specifying such systems and analyzing underlying properties including safety and security. We introduce automata systems (AS) motivated by I4.0 applications. We identify various subclasses of AS that reflect different types of requirements on I4.0. We investigate the complexity of the problem of functional correctness of these systems as well as their vulnerability to attacks. We model the presence of various levels of threats to the system by proposing a range of intruder models, based on the number of actions intruders can use.

Paper Nr: 23
Title:

Predicting Security Program Effectiveness in Bring-Your-Own-Device Deployment in Organizations

Authors:

Alexander O. Akande and Vu N. Tran

Abstract: Bring Your Own Device (BYOD) adoption in organizations continues to grow in recent years, with the aim to improve both organization cost-saving, employee job satisfaction, and employee productivity. An effective BYOD security program enhances the chance of success of a BYOD deployment. This study evaluates the applicability of the Knapp and Ferrante’s Information Security Policy and Effectiveness model for explaining and predicting BYOD security program effectiveness. The relationships between the fundamental causal factors in the model, namely awareness, enforcement, and maintenance, and program effectiveness, were evaluated using a sample of 119 BYOD users working in the financial sector in the United States. Our investigation shows support for utilizing this model to drive improvement in a BYOD deployment.

Paper Nr: 25
Title:

Automatic Detection of Cyber Security Events from Turkish Twitter Stream and Newspaper Data

Authors:

Özgür Ural and Cengiz Acartürk

Abstract: Cybersecurity experts scan the internet and face security events that influence user and institutions. An information security analyst regularly examines sources to stay up to date on security events in the domain of expertise. This may lead to a heavy workload for the information analysts if they do not have proper tools for security event investigation. For example, an information analyst may want to stay aware of cybersecurity events, such as a DDoS (Distributed Denial of Service) attack on a government agency website. The earlier they detect and understand the threats, the longer the time remaining to alleviate the obstacle and to investigate the event. Therefore, information security analysts need to establish and keep situational awareness active about the security events and their likely effects. However, due to the large volume of information flow, it may be difficult for security analysts and researchers to detect and analyze security events timely. It is important to detect security events timely. This study aims at developing tools that are able to provide timely reports of security incidents. A recent challenge is that the internet community use different languages to share information. For instance, information about security events in Turkey is mostly shared on the internet in Turkish. The present study investigates automatic detection of security incidents in Turkish by processing data from Twitter and news media. It proposes an automatic prototype, Turkish-specific software system that can detect cybersecurity events in real time.

Paper Nr: 29
Title:

Improvement of Secure Multi-Party Multiplication of (k, n) Threshold Secret Sharing Using Only N = k Servers

Authors:

Ahmad M. Kamal and Keiichi Iwamura

Abstract: Secure multi-party computation (MPC) allows a set of n servers to jointly compute an arbitrary function of their inputs, without revealing these inputs to each other. A (k,n) threshold secret sharing is a protocol in which a single secret is divided into n shares and the secret can be recovered from a threshold k shares. Typically, multiplication of (k,n) secret sharing will result in increase of polynomial degree from k-1 to 2k-2, thus increasing the number of shares required from k to 2k-1. Since each server typically hold only one share, the number of servers required in MPC will also increase from k to 2k-1. Therefore, a set of n servers can compute multiplication securely if the adversary corrupts at most k-1<n/2 of the servers. In this paper, we differentiate the number of servers N required and parameter n of (k,n) secret sharing scheme, and propose a method of computing (k-1) sharing of multiplication ab by using only N=k servers. By allowing each server to hold two shares, we realize MPC of multiplication with the setting of N=k,n≥2k-1. We also show that our proposed method is information theoretic secure against a semi-honest adversary.

Paper Nr: 36
Title:

An Analytic Attack against ARX Addition Exploiting Standard Side-channel Leakage

Authors:

Yan Yan, Elisabeth Oswald and Srinivas Vivek

Abstract: In the last few years a new design paradigm, the so-called ARX (modular addition, rotation, exclusive-or) ciphers, have gained popularity in part because of their non-linear operation’s seemingly ‘inherent resilience’ against Differential Power Analysis (DPA) Attacks: the non-linear modular addition is not only known to be a poor target for DPA attacks, but also the computational complexity of DPA-style attacks grows exponentially with the operand size and thus DPA-style attacks quickly become practically infeasible. We however propose a novel DPA-style attack strategy that scales linearly with respect to the operand size in the chosen-message attack setting.

Paper Nr: 37
Title:

Bridging Knowledge Gaps in Security Analytics

Authors:

Fabian Böhm, Manfred Vielberth and Günther Pernul

Abstract: In a cyber-physical world, the number of links between corporate assets is growing and infrastructures are becoming more complex. This and related developments significantly enlarge the attack surface of organizations. Additionally, more and more attacks do not exploit technical vulnerabilities directly but gain a foothold through phishing or social engineering. Since traditional security systems prove to be no longer sufficient to detect incidents effectively, humans and their specialized knowledge are becoming a critical security factor. Therefore, it is vital to maintain an overview of the cybersecurity knowledge spread across the entire company. However, there is no uniform understanding of knowledge in the field of security analytics. We aim to close this gap by formalizing knowledge and defining a conceptual knowledge model in the context of security analytics. This allows existing research to be better classified and shows that individual areas offer much potential for future research. In particular, the collaboration between domain experts but also between machines and employees could enable the exploitation of previously unused but crucial knowledge. For example, this knowledge is of great value for defining security rules in current security analytics systems. We introduce a proof of concept implementation using visual programming to showcase how even security novices can easily contribute their knowledge to security analytics.

Paper Nr: 43
Title:

The Comparison of Word Embedding Techniques in RNNs for Vulnerability Detection

Authors:

Hai N. Nguyen, Songpon Teerakanok, Atsuo Inomata and Tetsutaro Uehara

Abstract: Many studies have combined Deep Learning and Natural Language Processing (NLP) techniques in security systems in performing tasks such as bug detection, vulnerability prediction, or classification. Most of these works relied on NLP embedding methods to generate input vectors for the deep learning models. However, there are many existing embedding methods to encode software text files into vectors, and the structures of neural networks are immense and heuristic. This leads to a challenge for the researcher to choose the appropriate combination of embedding techniques and the model structure for training the vulnerability detection classifiers. For this task, we propose a system to investigate the use of four popular word embedding techniques combined with four different recurrent neural networks (RNNs), including both bidirectional RNNs (BRNNs) and unidirectional RNNs. We trained and evaluated the models by using two types of vulnerable function datasets written in C code. Our results showed that the FastText embedding technique combined with BRNNs produced the most efficient detection rate, compared to other combinations, on a real-world but not on an artificially-produced dataset. Further experiments on other datasets are necessary to confirm this result.

Paper Nr: 49
Title:

A Permissioned Blockchain-based System for Collaborative Drug Discovery

Authors:

Christoffer Olsson and Mohsen Toorani

Abstract: Research and development of novel molecular compounds in the pharmaceutical industry can be highly costly. Lack of confidentiality can prevent a product from being patented or commercialized. As an effect, cross-organizational collaboration is virtually non-existent. In this paper, we introduce a blockchain-based solution to the collaborative drug discovery problem so that participants can maintain full ownership of the asset and upload partial information about molecules without revealing the molecule itself. A prototype is also implemented using the blockchain technology Hyperledger Fabric and analyzed from security and performance perspectives. The prototype provides a set of functionalities that makes sure that ownership is maintained, integrity is protected, and critical information remains confidential. From a performance perspective, it provides a good throughput and latency in the order of milliseconds. However, further improvements could be done to the scalability of the system.

Paper Nr: 50
Title:

Checking Contact Tracing App Implementations

Authors:

Robert Flood, Sheung S. Chan, Wei Chen and David Aspinall

Abstract: In the wake of the COVID-19 pandemic, contact tracing apps have been developed based on digital contact tracing frameworks. These allow developers to build privacy-conscious apps that detect whether an infected individual is in close-proximity with others. Given the urgency of the problem, these apps have been developed at an accelerated rate with a brief testing period. Such quick development may have led to mistakes in the apps’ implementations, resulting in problems with their functionality, privacy and security. To mitigate these concerns, we develop and apply a methodology for evaluating the functionality, privacy and security of Android apps using the Google/Apple Exposure Notification API. This is a three-pronged approach consisting of a manual analysis, general static analysis and a bespoke static analysis, using a tool we’ve developed, dubbed MonSTER. As a result, we have found that, although most apps met the basic standards outlined by Google/Apple, there are issues with the functionality of some of these apps that could impact user safety.

Paper Nr: 52
Title:

Optimizing Leak Detection in Open-source Platforms with Machine Learning Techniques

Authors:

Sofiane Lounici, Marco Rosa, Carlo M. Negri, Slim Trabelsi and Melek Önen

Abstract: Public code platforms like GitHub are exposed to several different attacks, and in particular to the detection and exploitation of sensitive information (such as passwords or API keys). While both developers and companies are aware of this issue, there is no efficient open-source tool performing leak detection with a significant precision rate. Indeed, a common problem in leak detection is the amount of false positive data (i.e., non critical data wrongly detected as a leak), leading to an important workload for developers manually reviewing them. This paper presents an approach to detect data leaks in open-source projects with a low false positive rate. In addition to regular expression scanners commonly used by current approaches, we propose several machine learning models targeting the false positives, showing that current approaches generate an important false positive rate close to 80%. Furthermore, we demonstrate that our tool, while producing a negligible false negative rate, decreases the false positive rate to, at most, 6% of the output data.

Paper Nr: 60
Title:

Adversarial Machine Learning: A Comparative Study on Contemporary Intrusion Detection Datasets

Authors:

Yulexis Pacheco and Weiqing Sun

Abstract: Studies have shown the vulnerability of machine learning algorithms against adversarial samples in image classification problems in deep neural networks. However, there is a need for performing comprehensive studies of adversarial machine learning in the intrusion detection domain, where current research has been mainly conducted on the widely available KDD’99 and NSL-KDD datasets. In this study, we evaluate the vulnerability of contemporary datasets (in particular, UNSW-NB15 and Bot-IoT datasets) that represent the modern network environment against popular adversarial deep learning attack methods, and assess various machine learning classifiers’ robustness against the generated adversarial samples. Our study shows the feasibility of the attacks for both datasets where adversarial samples successfully decreased the overall detection performance.

Paper Nr: 62
Title:

Automatic Detection and Decryption of AES by Monitoring S-Box Access

Authors:

Josef Kokeš, Jonatan Matějka and Róbert Lórencz

Abstract: In this paper we propose an algorithm that can automatically detect the use of AES and automatically recover both the encryption key and the plaintext. It makes use of the fact that we can monitor accesses to the AES S-Box and deduce the desired data from these accesses; the approach is suitable to software-based AES implementations, both naíve and optimized. To demonstrate the feasibility of this approach we designed a tool which implements the algorithm for Microsoft Windows running on the Intel x86 architecture. The tool has been successfully tested against a set of applications using different cryptographic libraries and common user applications.

Paper Nr: 63
Title:

Parallel Privacy-preserving Computation of Minimum Spanning Trees

Authors:

Mohammad Anagreh, Eero Vainikko and Peeter Laud

Abstract: In this paper, we propose a secret sharing based secure multiparty computation (SMC) protocol for computing the minimum spanning trees in dense graphs. The challenges in the design of the protocol arise from the necessity to access memory according to private addresses, as well as from the need to reduce the round complexity. In our implementation, we use the single-instruction-multiple-data (SIMD) operations to reduce the round complexity of the SMC protocol; the SIMD instructions reduce the latency of the network among the three servers of the SMC platform. We present a state-of-the-art parallel privacy-preserving minimum spanning tree algorithm which is based on Prim’s algorithm for finding a minimum spanning tree (MST) in dense graphs. Performing permutation of the graph with sharemind to be able to perform the calculation of the MST on the shuffled graph outside the environment. We compare our protocol to the state of the art and find that its performance exceeds the existing protocols when being applied to dense graphs.

Paper Nr: 68
Title:

Hydra: Practical Metadata Security for Contact Discovery, Messaging, and Dialing

Authors:

David Schatz, Michael Rossberg and Guenter Schaefer

Abstract: Communication metadata may leak sensitive information even when content is encrypted, e.g. when contacting medical services. Unfortunately, protecting metadata is challenging. Existing approaches for anonymous communications either are vulnerable in a strong (but feasible) threat model or have practicability issues like intense usage of asymmetric cryptography. We propose Hydra, a mix network that is able to provide multiple anonymous services in a uniform way. In contrast to previous messaging systems with strong anonymity, we deliberately use padded onion-encrypted circuits. This allows to support connectionless applications like contact discovery with authenticated key exchange, messaging, and dialing (signalling for connection-oriented communications) with strong anonymity and relatively low latency. Our cryptography benchmarks show that Hydra is able to process messages an order of magnitude faster than state of the art messaging systems with strong anonymity. At the same time, bandwidth overhead is comparable to previous systems. We further develop an analytical model to predict the end-to-end latency of Hydra and validate it in a testbed.

Paper Nr: 78
Title:

Automated Black Box Detection of HTTP GET Request-based Access Control Vulnerabilities in Web Applications

Authors:

Malte Kushnir, Olivier Favre, Marc Rennhard, Damiano Esposito and Valentin Zahnd

Abstract: Automated and reproducible security testing of web applications is getting more and more important, driven by short software development cycles and constraints with respect to time and budget. Some types of vulnerabilities can already be detected reasonably well by automated security scanners, e.g., SQL injection or cross-site scripting vulnerabilities. However, other types of vulnerabilities are much harder to uncover in an automated way. This includes access control vulnerabilities, which are highly relevant in practice as they can grant unauthorized users access to security-critical data or functions in web applications. In this paper, a practical solution to automatically detect access control vulnerabilities in the context of HTTP GET requests is presented. The solution is based on previously proposed ideas, which are extended with novel approaches to enable completely automated access control testing with minimal configuration effort that enables frequent and reproducible testing. An evaluation using four web applications based on different technologies demonstrates the general applicability of the solution and that it can automatically uncover most access control vulnerabilities while keeping the number of false positives relatively low.

Paper Nr: 82
Title:

A State Saturation Attack against Massively Multiplayer Online Videogames

Authors:

Blake Bryant and Hossein Saiedian

Abstract: Online videogames have enjoyed a recent surge in popularity due to increased work-from-home policies, the popularization of high-reward game tournaments, and the prospect of players earning decent wages from streaming online content. The viability of leveraging online gaming as a source of primary or supplemental income places higher stakes on the security and suitability of the network and underlying protocols used to transport game related data. A common technique used in videogames known as “animation canceling” has been used for decades to improve player performance in competitive game play. This paper reviews the potential impact of animation canceling in terms of network traffic generated and degradation to the player experience. The paper lays the conceptual groundwork for networked videogames by describing common network architectures that facilitates competitive videogame play. Finally, a AAA gaming title is selected as a case study, using the principles established within this paper, to evaluate the effects of animation canceling on competitive game play. This paper introduces a new term ”state saturation” to describe a potential lag-based attack that may be implemented via animation cancelling to starve client-server based networked videogame command messages and game a competetive edge during game play.

Paper Nr: 93
Title:

CyExec*: Automatic Generation of Randomized Cyber Range Scenarios

Authors:

Ryotaro Nakata and Akira Otsuka

Abstract: With the development of information technology, the need for information security education is increasing, and the effectiveness of cyber range exercises is attracting attention. The cyber range is a system to learn knowledge and skills by experiencing an incident scenario reproduced in a virtual environment. Many scenarios are required to train a security expert through various incident experiences. However, scenario development requires highly specialized expertise. Thus, in practice, only a limited number of scenarios are worn out around. Identical scenarios may decrease the educational effect since the other teams’ actions or write-ups on the internet will hint the students. We propose CyExec*, a cyber range system that automatically generates multiple scenarios based on DAG(Directed Acyclic Graph)-based scenario randomization. Multiple scenarios with the same learning objectives can enhance teaching effectiveness and prevent cheating. We developed the DAGbased scenario randomization technique on a Docker-based cyber range system called CyExec. By taking full advantage of Docker’s system/network configuration power, we can randomize complex scenarios across multiple networks. Comparison with the VM-based scenario generators, CyExec* outperforms, especially in storage usage. Further, CyExec* only consumes 1/3 memories, 1/4 CPU loads, and 1/10 storage usages. Thus, Cyexec* can operate approximately 3-times more complex scenarios than VM-based systems.

Paper Nr: 97
Title:

From Exposed to Exploited: Drawing the Picture of Industrial Control Systems Security Status in the Internet Age

Authors:

Yixiong Wu, Jianwei Zhuge, Tingting Yin, Tianyi Li, Junmin Zhu, Guannan Guo, Yue Liu and Jianju Hu

Abstract: The number of Internet-facing industrial control system(ICS) devices has risen rapidly due to remote control demand. Going beyond benefits in maintenance, this also exposes the fragile ICS devices to cyber-attackers. To characterize the security status of Internet-facing ICS devices, we analyze the exposed ICS devices and their vulnerabilities. Considering the ethic, we design and implement ICScope, a passive vulnerability assessment system based on device search engines. Firstly, ICScope extracts the ICS device information from the banners returned by multiple search engines. Then, ICScope filters out the possible ICS honeypots to guarantee accuracy. Finally, ICScope associates ICS vulnerabilities with each ICS device. Over the past year, our measurements cover more than 466,000 IPs. We first perform a comprehensive measurement of Internet-facing ICS devices from Dec 2019 to Jan 2020. We find that there are about 49.58% of Internet-facing ICS devices that can be identified are affected by one or more vulnerabilities. We also conduct three times experiments from Jun 2020 to Dec 2020 to monitor the security status of Internet-facing ICS devices. We observe a slowly decreasing trend in the number of vulnerable ICS devices during our experiment period.

Paper Nr: 104
Title:

Towards Academic and Skills Credentialing Standards and Distributed Ledger Technologies

Authors:

Morné Pretorius, Nelisiwe Dlamini and Sthembile Mthethwa

Abstract: Today’s internet-connected world is moving towards evermore digitisation. Consequently, the education system globally is experiencing various problems whilst trying to keep up with this disruptive and ongoing change that is introduced. One way to alleviate the problem is standardising how skills and academic achievement are quantified, digitised, authenticated and persisted to achieve a means of automated verification and matching of the current need with what skill-sets are available. This research aims to provide a starting point towards a standardised future solution which considers existing emerging standards and technologies to provide skills tracking capability. The existing standards, data schema, technologies and techniques are discussed and an existing real-world prototype architecture is identified. This prototype’s terminology is then mapped to the emerging World Wide Web Consortium (W3C) standards which will serve as a baseline design.

Paper Nr: 108
Title:

A Protection against the Extraction of Neural Network Models

Authors:

Hervé Chabanne, Vincent Despiegel and Linda Guiga

Abstract: Given oracle access to a Neural Network (NN), it is possible to extract its underlying model. We here introduce a protection by adding parasitic layers which keep the underlying NN’s predictions mostly unchanged while complexifying the task of reverse-engineering. Our countermeasure relies on approximating a noisy identity mapping with a Convolutional NN. We explain why the introduction of new parasitic layers complexifies the attacks. We report experiments regarding the performance and the accuracy of the protected NN.

Short Papers
Paper Nr: 5
Title:

Experiences and Recommendations from Operating a Tor Exit Node at a University

Authors:

Michael Sonntag and René Mayrhofer

Abstract: We report on a multi-year operation of a Tor exit node at a public university and provide recommendations for running other instances. These include legal issues, such as permissions perhaps required in advance, and where potential pitfalls are, like blocking content/DNS resolution or monitoring/logging requirements. We also discuss organizational aspects including preparations for inquiries and problem reports, how to avoid issues with potential legal enforcement, or who should have access to which systems. Technical issues are discussed in detail, including lessons learnt from DoS attacks both on the university as well as the exit node in particular. Finally, we provide technical and organizational recommendations on longitudinal data collection and other research on exit node traffic without compromising anonymity.

Paper Nr: 11
Title:

Automatically Extracting Business Level Access Control Requirements from BPMN Models to Align RBAC Policies

Authors:

Roman Pilipchuk, Robert Heinrich and Ralf Reussner

Abstract: IT security becomes increasingly important due to the rise of cybercrime incidents but also obligatory security and privacy laws that include confidentiality regulations. To prevent cybercriminal attacks, the business level has to identify critical business data and introduce organization-wide security standards. A close cooperation with the IT level is crucial to avoid mistakes and misunderstandings of security requirements, both may cause severe security breaches. An important building block are access control requirements (ACRs). In a costly, complex and manual role engineering process, experts have to elicit appropriate role-based access control (RBAC) policies according to business security and confidentiality models. This paper makes a first step to close this gap with an approach that automatically extracts business level ACRs from BPMN business processes to build an initial RBAC role model and establish traceability from RBAC policies to business processes. Case study results indicate that the accuracy of extracted policies is appropriate, adaptations in evolution scenarios become faster and human errors are reduced during the engineering of RBAC policies.

Paper Nr: 17
Title:

Towards Collaborative Cyber Threat Intelligence for Security Management

Authors:

Oleksii Osliak, Andrea Saracino, Fabio Martinelli and Theo Dimitrakos

Abstract: Managing access to resources is one of the security mechanisms used for protecting the organization’s assets from unauthorized usage, and thus potential data leaks. Thus, keeping access control policies up to date is a crucial task for any organization. However, the access control policy update process usually requires direct interaction of security specialists, which have knowledge and experience in counteracting abuse of privileges. Therefore, in this paper, we consider access control policies update using collaborative knowledge in the latest cyber activities. We describe the correlation between security policies and security reports using ontology for cybersecurity. Finally, we present a framework that enables access control policies update within the Cloud infrastructure offered by Amazon using Cyber Threat Intelligence.

Paper Nr: 18
Title:

A Secure Network Scanner Architecture for Asset Management in Strongly Segmented ICS Networks

Authors:

Matthias Niedermaier, Thomas Hanka, Florian Fischer and Dominik Merli

Abstract: Industrial Control System (ICS) are essential for process automation and control in critical infrastructures, like smart grids, water distribution and also food production, in our modern world. These industrial devices will be even more connected, due to the trend of Industry 4.0 and Internet of Things (IoT), to provide additional functionality. An example for a use case is predictive maintenance, where sensor data is required, to e.g. replace defective parts before outage. While connectivity enables easier and more efficient process management, it also increases the attack surface for cyber-attacks. To provide secure operation for interconnected ICSs additional protection measures, like asset management should be applied, to observe and maintain assets within a control network. One of the first steps to improve cyber-security with asset management is device identification in ICS networks. A common method for device identification is active network scanning, which adds additional network traffic to the ICS network. Because of the common segmentation with firewalls of ICS networks, scanner nodes in each sub-network are necessary. The distribution of active scan nodes typically adds additional cross connections within segmented ICS networks. In this paper, we introduce a secure scanning architecture for fragile ICS networks. Our architecture is based on scanning nodes, which use the concept of hardware-based data diodes to e.g. separate the critical control network from the office network. To ensure a gentle scan on fragile ICS networks, the scan node provide a bandwidth limitation of the scan, to reduce risk of influences within ICS networks. We implemented a Proof of Concept (PoC) system and evaluated it within our industrial testbed, to show the feasibility of our architecture.

Paper Nr: 20
Title:

Canopy: A Learning-based Approach for Automatic Low-and-Slow DDoS Mitigation

Authors:

Lucas Cadalzo, Christopher H. Todd, Banjo Obayomi, W. B. Moore and Anthony C. Wong

Abstract: In a low-and-slow distributed denial-of-service (LSDDoS) attack, an adversary attempts to degrade the server with low-bandwidth requests specially crafted to slowly transmit data, consuming an inordinate amount of the server’s resources. This paper proposes Canopy, a novel approach for detecting LSDDoS attacks by applying machine learning techniques to extract meaning from observed patterns of TCP state transitions. While existing works have presented techniques that successfully mitigate different examples of LSDDoS attacks, Canopy has uniquely shown the ability to mitigate a diverse set of LSDDoS attacks, including never-before-seen attacks, all while maintaining a low false positive rate. Canopy is able to detect and mitigate low-and-slow attacks accurately and quickly: our tests find that attacks are identified during 100% of test runs within 650 milliseconds. Server performance is restored quickly: in our experimental testbed, we find that clients’ experience is restored to normal within 7.5 seconds. During active attack mitigation, which only occurs during server performance degradation indicative of an attack, Canopy exhibits minimal erroneous mitigative action applied to benign clients as it achieves a precision of 99%. Finally, we show that Canopy’s capabilities generalize well to LSDDoS attacks not included in its training dataset, identifying never-before-seen attacks within 750 milliseconds.

Paper Nr: 27
Title:

Active Directory Kerberoasting Attack: Detection using Machine Learning Techniques

Authors:

Lukáš Kotlaba, Simona Buchovecká and Róbert Lórencz

Abstract: Active Directory is a prevalent technology used for managing identities in modern enterprises. As a variety of attacks exist against Active Directory environment, its security monitoring is crucial. This paper focuses on detection of one particular attack - Kerberoasting. The purpose of this attack is to gain access to service accounts’ credentials without the need for elevated access rights. The attack is nowadays typically detected using traditional ”signature-based” detection approaches. Those, however, often result in a high number of false alerts. In this paper, we adopt machine learning techniques, particularly several anomaly detection algorithms, for detection of Kerberoasting. The algorithms are evaluated on data from a real Active Directory environment and compared to the traditional detection approach, with a focus on reducing the number of false alerts.

Paper Nr: 33
Title:

Linking Biometric Voice Identity with Self-monitoring Health Data as a Temporal-spatial Event Stored in a Mobile Device

Authors:

Bon Sy

Abstract: The goal of this research is to investigate a biometric solution that links biometric personal identity to self-monitoring data, with time and location information, as a temporal-spatial event in a personal health record stored in a mobile device. The proposed biometric solution is based on a secure computation technology that reconstructs a cryptographic key for (un)locking personal health record in real time when a verification sample is sufficiently similar to the enrollment sample whereas the verification process is based on a secure two-party security computation that compares the enrollment and verification samples without either party sharing the data with each other, nor relying on a trusted third party. The contribution of this research is to demonstrate the practical feasibility of the approach in a resource constrained mobile computing environment. The significance of this research is its potential application for enabling a safe bubble space for social interaction among individuals who have self-monitoring data showing lack of Covid-19 symptoms at a specific time and location.

Paper Nr: 35
Title:

DLP-Visor: A Hypervisor-based Data Leakage Prevention System

Authors:

Guy Amit, Amir Yeshooroon, Michael Kiperberg and Nezer J. Zaidenberg

Abstract: Data theft by insiders is considered by many organisations to be one of the most serious threats. Data leakage prevention (DLP) systems attempt to prevent intentional or accidental disclosure of sensitive information by monitoring the content or the context in which the information is transferred, for example, in a file system, an email server, instant messengers. We present a context-sensitive DLP system, called DLP-Visor, which is implemented as a thin hypervisor capable of intercepting system calls in Windows operating systems equipped with Kernel Patch Protection. By intercepting system calls that govern the file system, inter-process communications, networking, system register and system clipboard, DLP-Visor guarantees that sensitive information can never leave a predefined set of directories. The performance overhead of DLP-Visor (7.2%) allows its deployment in real-world applications.

Paper Nr: 38
Title:

Continuous Authentication based on Hand Micro-movement during Smartphone Form Filling by Seated Human Subjects

Authors:

Aratrika Ray, Daqing Hou, Stephanie Schuckers and Abbie Barbir

Abstract: Mobile devices typically rely on entry-point and other one-time authentication mechanisms such as a password, PIN, fingerprint, iris, or face. But these authentication types are prone to a wide attack vector and worse still, once compromised, fail to protect the user’s account and data. In contrast, continuous authentication, based on traits of human behavior, can offer additional security measures in the device to authenticate against unauthorized users, even after the entry-point and one-time authentication has been compromised. To this end, we have collected a new data-set of multiple behavioral biometric modalities (49 users) when a user fills out an account recovery form in sitting using an Android app. These include motion events (acceleration and angular velocity), touch and swipe events, keystrokes, and pattern tracing. In this paper, we focus on authentication based on motion events by evaluating a set of score level fusion techniques to authenticate users based on the acceleration and angular velocity data. The best EERs of 2.4% and 6.9% for intra- and inter-session respectively, are achieved by fusing acceleration and angular velocity using Nandakumar et al.’s likelihood ratio (LR) based score fusion.

Paper Nr: 41
Title:

Blockchain based Secured Virtual Machine Image Monitor

Authors:

Srijita Basu, Sandip Karmakar and Debasish Bera

Abstract: Blockchain technology supports data immutability. Whereas, smart contracts are piece of self-executable codes running inside the blockchain network, responsible for the transformation or state change of these data. Furthermore, Cloud Computing is used in the application of data storage and usage. Several business enterprises use cloud for hosting their applications and data with a minimized effort, cost and hurdles of maintenance. However, ensuring security of client data and proper management of the Service Provider’s infrastructure remains a crucial issue. In this article, an Ethereum based blockchain network has been proposed that monitors and assures the safety of the Virtual Machine Images (VMI) stored at the Cloud Service Provider (CSP) end. The proposed scheme tends to design a dedicated Smart Contract which handles each and every function, starting from request of a VMI by the Cloud Service Consumer (CSC) to the usage of the same by the later. The use of blockchain technology ensures that no single admin/third party can control/modify the system. This prevents unwanted modification of the VMIs by an intruder and guarantees the efficiency of the scheme to be higher than any other methodology designed for the same purpose till date.

Paper Nr: 44
Title:

The Proposal of Double Agent Architecture using Actor-critic Algorithm for Penetration Testing

Authors:

Hoang V. Nguyen, Songpon Teerakanok, Atsuo Inomata and Tetsutaro Uehara

Abstract: Reinforcement learning (RL) is a widely used machine learning method for optimal decision-making compared to rule-based methods. Because of that advantage, RL has also recently been used a lot in penetration testing (PT) problems to assist in planning and deploying cyber attacks. Although the complexity and size of networks keep increasing vastly every day, RL is currently applied only for small scale networks. This paper proposes a double agent architecture (DAA) approach that is able to drastically increase the size of the network which can be solved with RL. This work also examines the effectiveness of using current popular deep reinforcement learning algorithms including DQN, DDQN, Dueling DQN and D3QN algorithms for PT. The A2C algorithm using Wolpertinger architecture is also adopted as a baseline for comparing the results of the methods. All algorithms are evaluated using a proposed network simulator which is constructed as a Markov decision process (MDP). Our results demonstrate that DAA with A2C algorithm far outweighs other approaches when dealing with large network environments reaching up to 1000 hosts.

Paper Nr: 45
Title:

Two Stage Anomaly Detection for Network Intrusion Detection

Authors:

Helmut Neuschmied, Martin Winter, Katharina Hofer-Schmitz, Branka Stojanovic and Ulrike Kleb

Abstract: Network intrusion detection is one of the most import tasks in today’s cyber-security defence applications. In the field of unsupervised learning methods, variants of variational autoencoders promise good results. The fact that these methods are very computationally time-consuming is hardly considered in the literature. Therefore, we propose a new two-stage approach combining a fast preprocessing or filtering method with a variational autoencoder using reconstruction probability. We investigate several types of anomaly detection methods mainly based on autoencoders to select a pre-filtering method and to evaluate the performance of our concept on two well established datasets.

Paper Nr: 46
Title:

Ontology-based Cybersecurity and Resilience Framework

Authors:

Helmar Hutschenreuter, Salva D. Çakmakçı, Christian Maeder and Thomas Kemmerich

Abstract: In the digital age, almost all organizations have become dependent on Information Technology (IT) systems at different levels of their individual and collective activities. Physical infrastructures are inextricably tied to the functioning of IT systems that are vulnerable to internal and external cyber threats. Attacks can cause unavailability or malfunction of systems which in turn prevent or mislead ongoing business processes in organizations. Today, organizations not only require cybersecurity programs to protect themselves against cyber threats but also need a resilience strategy to guarantee business continuity even during cyber incidents. This paper includes the results of ongoing research for securing maritime port ecosystems and making them cyber resilient. We propose a framework based on ontologies and logical inference to meet requirements of resilient IT systems regarding response to and recovery from cyber incidents.

Paper Nr: 61
Title:

Profiling and Discriminating of Containerized ML Applications in Digital Data Marketplaces (DDM)

Authors:

Lu Zhang, Reginald Cushing, Ralph Koning, Cees de Laat and Paola Grosso

Abstract: A Digital Data Marketplace (DDM) facilitates secure and trustworthy data sharing among multiple parties. For instance, training a machine learning (ML) model using data from multiple parties normally contributes to higher prediction accuracy. It is crucial to enforce the data usage policies during the execution stage. In this paper, we propose a methodology to distinguish programs running inside containers by monitoring system calls sequence externally. To support container portability and the necessity of retraining ML models, we also investigate the stability of the proposed methodology in 7 typical containerized ML applications over different execution platform OSs and training data sets. The results show our proposed methodology can distinguish between applications over various configurations with an average classification accuracy of 93.85%, therefore it can be integrated as an enforcement component in DDM infrastructures.

Paper Nr: 64
Title:

Representation of PE Files using LSTM Networks

Authors:

Martin Jureček and Matouš Kozák

Abstract: An ever-growing number of malicious attacks on IT infrastructures calls for new and efficient methods of protection. In this paper, we focus on malware detection using the Long Short-Term Memory (LSTM) as a preprocessing tool to increase the classification accuracy of machine learning algorithms. To represent the malicious and benign programs, we used features extracted from files in the PE file format. We created a large dataset on which we performed common feature preparation and feature selection techniques. With the help of various LSTM and Bidirectional LSTM (BLSTM) network architectures, we further transformed the collected features and trained other supervised ML algorithms on both transformed and vanilla datasets. Transformation by deep (4 hidden layers) versions of LSTM and BLSTM networks performed well and decreased the error rate of several state-of-the-art machine learning algorithms significantly. For each machine learning algorithm considered in our experiments, the LSTM-based transformation of the feature space results in decreasing the corresponding error rate by more than 58.60 %, in comparison when the feature space was not transformed using LSTM network.

Paper Nr: 67
Title:

How to Improve the GDPR Compliance through Consent Management and Access Control

Authors:

Said Daoudagh, Eda Marchetti, Vincenzo Savarino, Roberto Di Bernardo and Marco Alessi

Abstract: This paper presents a privacy-by-design solution based on Consent Manager (CM) and Access Control (AC) to aid organizations to comply with the GDPR. The idea is to start from the GDPR’s text, transform it into a machine-readable format through a given CM, and then convert the obtained outcome to a set of enforceable Access Control Policies (ACPs). As a result, we have defined a layered architecture that makes any given system privacy-aware, i.e., systems that are compliant by-design with the GDPR. Furthermore, we have provided a proof-of-concept by integrating a Consent Manager coming from an industrial context and an AC Manager coming from academia.

Paper Nr: 71
Title:

Sociocultural Influences for Password Definition: An AI-based Study

Authors:

Carlos Ocanto Dávila, Rocío Cabrera Lozoya and Slim Trabelsi

Abstract: Most of the research that analyses password security has been developed targeting English-speaking users. In this work, we present a framework for password segmentation, semantic classification, and clustering, in a multilingual context. This research uses natural language processing, statistical and deep learning techniques to obtain and leverage semantic patterns for password definition. Using the methods proposed in this work in password-guessing models produce over a 10% increase with respect to state-of-the-art methods (with a guessing space limited to 500 million predictions) on a dataset of leaked credentials.

Paper Nr: 75
Title:

A Lemon by Any Other Label

Authors:

Vaibhav Garg

Abstract: Apparent under-investment in IoT security is often explained by the lack of consumer demand engendered by information asymmetries. One proposed solution is to create IoT security labels as a market signal of differentiation. Such labeling may be binary, graded, or descriptive. Each label type can be further differentiated based on distinct implementations. This paper surveys the existing efforts to create IoT security labels along with the inherent limitations of individual approaches. Overall, we find that there is limited research in this area, which makes it difficult to ascertain the components of an effective IoT security label. We recommend that label designs should limit complexity and leverage existing institutions, such as trade groups, for sustainability as well as adoption.

Paper Nr: 76
Title:

Implementing Secure Applications Thanks to an Integrated Secure Element

Authors:

Sylvain Guilley, Michel L. Rolland and Damien Quenson

Abstract: More and more networked applications require security, with keys managed at the end-point. However, traditional Secure Elements have not been designed to be connected. There is thus a need to bridge the gap, and novel kinds of Secure Elements have been introduced in this respect. Connectivity has made it possible for a single chip to implement multiple usages. For instance, in a smart- phone, security is about preventing the device from being rooted, but also about enabling user’s online privacy. Therefore, Secure Elements shall be compatible with multiple requirements for various vertical markets (e.g., payment, contents protection, automotive, etc.). The solution to this versatility is the integration of the Secure Element within the device main chip. Such approach, termed iSE (integrated Secure Element), consists in the implementation of a subsystem, endowed to manage the chip security, within a host System-on-Chip. The iSE offers flexibility in the security deployment. However, natural questions that arise are: how to program security applications using an iSE? How to certify those applications, most likely according to several different schemes? This position paper addresses those questions, and comes up with some key concepts of on-chip security, in terms of iSE secure usage. In particular, we will show in this paper that iSE nowadays shall be designed so that the product it embeds is certifiable in a multiplicity of schemes, and so even before the product is launched on the market.

Paper Nr: 79
Title:

An Asynchronous Federated Learning Approach for a Security Source Code Scanner

Authors:

Sabrina Kall and Slim Trabelsi

Abstract: Hard-coded tokens and secrets leaked through source code published on open-source platforms such as Github are a pervasive security threat and a time-consuming problem to mitigate. Prevention and damage control can be sped up with the aid of scanners to identify leaks, however such tools tend to have low precision, and attempts to improve them through the use of machine learning have been hampered by the lack of training data, as the information the models need to learn from is by nature meant to be kept secret by its owners. This problem can be addressed with federated learning, a machine learning paradigm allowing models to be trained on local data without the need for its owners to share it. After local training, the personal models can be merged into a combined model which has learned from all available data for use by the scanner. In order to optimize local machine learning models to better identify leaks in code, we propose an asynchronous federated learning system combining personalization techniques for local models with merging and benchmarking algorithms for the global model. We propose to test this new approach on leaks collected from the code-sharing platform Github. This use case demonstrates the impact on the accuracy of the local models employed by the code scanners when we apply our new proposed approach, balancing federation and personalization to handle often highly diverse and unique datasets.

Paper Nr: 85
Title:

Stopping DNS Rebinding Attacks in the Browser

Authors:

Mohammadreza Hazhirpasand, Arash A. Ebrahim and Oscar Nierstrasz

Abstract: DNS rebinding attacks circumvent the same-origin policy of browsers and severely jeopardize user privacy. Although recent studies have shown that DNS rebinding attacks pose severe security threats to users, up to now little effort has been spent to assess the effectiveness of known solutions to prevent such attacks. We have carried out such a study to assess the protective measures proposed in prior studies. We found that none of the recommended techniques can entirely halt this attack due to various factors, e.g., network layer encryption renders packet inspection infeasible. Examining the previous problematic factors, we realize that a protective measure must be implemented at the browser-level. Therefore, we propose a defensive measure, a browser plug-in called Fail-rebind, that can detect, inform, and protect users in the event of an attack. Afterwards, we discuss the merits and limitations of our method compared to prior methods. Our findings suggest that Fail-rebind does not necessitate expert knowledge, works on different OSes and smart devices, and is independent of networks and location.

Paper Nr: 87
Title:

Securing the Linux Boot Process: From Start to Finish

Authors:

Jakob Hagl, Oliver Mann and Martin Pirker

Abstract: The security of the operating system is a prominent feature in today’s Linux distributions. A common security practice is to encrypt the hard drive, to protect the data at rest. The UEFI Forum released the secure boot specification, an optional boot process protocol that improves security during boot up on secure boot enabled hardware. A combination of secure boot with the Linux operating system, along with full disk encryption in an effort to implement maximum security is non-trivial. This paper explores the challenges of this undertaking and reports on a practical evaluation with five major Linux distributions, how far they support these security features by default and what can be improved manually.

Paper Nr: 92
Title:

Towards Exploring User Perception of a Privacy Sensitive Information Detection Tool

Authors:

Vanessa Bracamonte, Welderufael B. Tesfay and Shinsaku Kiyomoto

Abstract: Users reveal privacy sensitive information when they post on social media, which can have negative consequences. To help these users make informed decisions, different tools have been developed that detect privacy sensitive information (PSI) and provide alerts. However, how users would perceive this type of tool has not yet been evaluated. In this position paper, we take the first steps to address this gap, by exploring user intention, perceived usefulness and attitude towards a PSI detection tool. We designed an experiment and showed participants examples of the PSI detection tool alerts, and quantitatively and qualitatively evaluated their response. The results showed that participants perceived the PSI detection tool as useful, had positive interest, and a low level of concern about it, although they had a neutral level of intention of using the tool. The participants’ open-ended responses revealed that they considered the PSI detection tool useful, but mostly for other people and not for themselves. In addition, they were concerned about the privacy risks of using the tool and about its effectiveness. The findings reveal the challenges that PSI detection tools have to overcome to gain acceptance among users that would benefit from this type of privacy protection.

Paper Nr: 95
Title:

Improving Classification of Malware Families using Learning a Distance Metric

Authors:

Martin Jureček, Olha Jurečková and Róbert Lórencz

Abstract: The objective of malware family classification is to assign a tested sample to the correct malware family. This paper concerns the application of selected state-of-the-art distance metric learning techniques to malware families classification. The goal of distance metric learning algorithms is to find the most appropriate distance metric parameters concerning some optimization criteria. The distance metric learning algorithms considered in our research learn from metadata, mostly contained in the headers of executable files in the PE file format. Several experiments have been conducted on the dataset with 14,000 samples consisting of six prevalent malware families and benign files. The experimental results showed that the average precision and recall of the k -Nearest Neighbors algorithm using the distance learned on training data were improved significantly comparing when the non-learned distance was used. The k -Nearest Neighbors classifier using the Mahalanobis distance metric learned by the Metric Learning for Kernel Regression method achieved average precision and recall, both of 97.04% compared to Random Forest with a 96.44% of average precision and 96.41% of average recall, which achieved the best classification results among the state-of-the-art ML algorithms considered in our experiments.

Paper Nr: 102
Title:

MADLIRA: A Tool for Android Malware Detection

Authors:

Khanh Huu The Dam and Tayssir Touili

Abstract: Today, there are more threats to Android users since malware writers are changing their target to explore the weakness of Android devices, in order to generate malicious behaviors. Thus, detecting Android malwares is becoming crucial. We present in this paper a tool, called MADLIRA (MAlware Detection using Learning and Information Retrieval for Android). This tool implements two static approaches: (1) apply Information Retrieval techniques to automatically extract malicious behaviors from a set of malicious and benign applications, (2) apply learning techniques to automatically learn malicious applications. Then, in both cases, MADLIRA can classify a new Android application as malicious or benign.

Paper Nr: 107
Title:

Privacy Preserving Services for Intelligent Transportation Systems with Homomorphic Encryption

Authors:

Aymen Boudguiga, Oana Stan, Abdessamad Fazzat, Houda Labiod and Pierre-Emmanuel Clet

Abstract: With the advent of intelligent transportation systems, vehicles will connect continuously to the Internet via the vehicular core network or the cellular network. Opening vehicles systems to the Internet aims at improving vehicles safety and comfort via the development of remote services for drivers assistance. Such services are for example infotainment applications, software update over the air, remote diagnostics and adaptive insurance. However, some of these services come with an inherent problem of privacy as they require as inputs the private data from the vehicles. In this work, we investigate the use of homomorphic encryption for ensuring the confidentiality of vehicles private data. We study the confidentiality of data, which are treated by external service providers such as cars manufacturers, their stakeholders and insurances. Our protocol ensures, by design, the private treatment of vehicles data thanks to homomorphic encryption properties. We validate our proposal by studying drivers behaviour using a simple neural network that takes as input drivers pictures and tells whether a driver is concentrated or distracted. Indeed, we rely on a 3 layers network for classifying drivers behavior in 10 different classes from normal to dangerous. We use a quadratic activation function for intermediate layers which contain 20 and 10 units, respectively. Meanwhile, we use a sigmoid activation function for the last layer which contains 10 units, one per label. Our classification takes 11 seconds with a classification accuracy of 86% and 25 seconds with a classification accuracy of 92%.

Paper Nr: 110
Title:

Security Property Modeling

Authors:

Hiba Hnaini, Luka L. Roux, Joel Champeau and Ciprian Teodorov

Abstract: With the increasing number of cyber-attacks on cyber-physical systems, many security precautions and solutions have been suggested. However, most of these solutions aim to prevent the access of an adversary to the system. Though, with the increasing number of elements used in a system, and thus vulnerabilities, it is essential to study the risks introduced to the system to make the system itself efficient enough to react to the attacks once an attacker has obtained access. Analyzing and discovering the risks is the first step to making the system more resilient. This paper proposes a methodology that combines the qualitative risk analysis with formal methods ( model checking ) to identify the risks that were not recognized during testing or functional modeling phases. To examine this methodology, a car reservation system is modeled with an attacker, and then its security properties are verified using UPPAAL model checking tool. As a result, some risks were identified and tested for the possibility of them occurring and their effects on the system.

Paper Nr: 111
Title:

Developing Cyber-risk Centric Courses and Training Material for Cyber Ranges: A Systematic Approach

Authors:

Gencer Erdogan, Antonio Á. Romero, Niccolò Zazzeri, Anže Žitnik, Mariano Basile, Giorgio Aprile, Mafalda Osório, Claudia Pani and Ioannis Kechaoglou

Abstract: The use of cyber ranges to train and develop cybersecurity skills and awareness is attracting more attention, both in public and private organizations. However, cyber ranges typically focus mainly on hands-on exercises and do not consider aspects such as courses, learning goals and learning objectives, specific skills to train and develop, etc. We address this gap by proposing a method for developing courses and training material based on identified roles and skills to be trained in cyber ranges. Our method has been used by people with different background grouped in academia, critical infrastructure, research, and service providers who have developed 22 courses including hands-on exercises. The developed courses have been tried out in pilot studies by SMEs. Our assessment shows that the method is feasible and that it considers learning and educational aspects by facilitating the development of courses and training material for specific cybersecurity roles and skills.

Paper Nr: 112
Title:

Release-aware In-out Encryption Adjustment in MongoDB Query Processing

Authors:

Maryam Almarwani, Boris Konev and Alexei Lisitsa

Abstract: Querying over encrypted data typically uses multi-layered (onion) encryption, which requires level adjustment when processing queries. Previous studies, such as on CryptDB, emphasize the importance of inward encryption adjustment, from outer layers to inner layers, releasing information necessary for query execution. Even though the idea of outward encryption adjustment, which is used to re-establish the outer layers after query processing, is very natural and appeared already in the early papers on CryptDB as a topic for future work, no prior studies have addressed it systematically. This paper extends previous work on intelligent, release-aware encryption adjustment for document-based databases querying with the outward adjustment policy. We define the resulting Release-Aware In-Out Encryption Adjustment principles and report on their empirical evaluation using both local and cloud deployment of MongoDB. The evaluation utilizing datasets of different sizes shows that the proposed method is efficient, scalable, and provides better data protection.

Paper Nr: 113
Title:

Learning from Smartphone Location Data as Anomaly Detection for Behavioral Authentication through Deep Neuroevolution

Authors:

Mhd Irvan, Tran P. Thao, Ryosuke Kobayashi, Toshiyuki Nakata and Rie S. Yamaguchi

Abstract: Passwords and face recognition are some examples of many approaches to authenticate smartphone users. These approaches typically authenticate users at an initial log-in or unlock session, and there are risks of an unauthorized person using the authenticated account if the smartphone owner lose their device while still in unlocked status. Because of this reason, there is a necessity to continuously authenticate from time to time. Passwords and biological biometrics-based authentication procedures are impractical for this kind of situation because they require constant interruption. In this early research we are applying a behavioral authentication approach implementing location history data to implicitly authenticate users. Traits derived from users’ movements are easy to monitor and hard to fake. Previously visited locations represent patterns within people’s daily behaviors and in this paper we are proposing deep learning method evolved by genetic algorithms to recognize such patterns and to correctly authenticate people that match the patterns.

Paper Nr: 2
Title:

Admonita: A Recommendation-based Trust Model for Dynamic Data Integrity

Authors:

Wassnaa Al-Mawee, Steve Carr and Jean Mayo

Abstract: Data integrity is critical to the secure operation of a computer system. Applications need to know that the data that they access is trustworthy. Many current production-level integrity models are tightly coupled to a specific domain, (e.g., databases), or only apply after the fact (e.g., backups). In this paper we propose a recommendation-based trust model, called Admonita, for data integrity that is applicable to any structured data in a system and provides a measure of trust to applications on-the-fly. The proposed model is based on the Biba integrity model and utilizes the concept of an Integrity Verification Procedure (IVP) proposed by Clark-Wilson. Admonita incorporates subjective logic to maintain the trustworthiness of data and applications in a system. To prevent critical applications from losing trust, Admonita also incorporates the principle of weak tranquility to ensure that highly trusted applications can maintain their trust levels. We develop a simple algebra around these elements and describe how it can be used to calculate the trustworthiness of system entities. By applying subjective logic, we build a powerful, artificial and reasoning trust model for implementing data integrity.

Paper Nr: 7
Title:

Mobile Robots: An Overview of Data and Security

Authors:

Esmeralda Kadena, Huu D. Nguyen and Lourdes Ruiz

Abstract: The field of mobile robotics has become the focus of several types of research for many years. The revolutionary technology of Wireless Sensor Networks (WSNs) has provided many benefits for the process of data collection and communication. On the other hand, the network is facing challenges in supporting the traffic requirements to carry on the data flow generated by the nodes. Hence, the focus of this work is to give an overview of data processes in mobile robots based on the literature review. At first, we present the definitions and the most common types of mobile robots. Then, we emphasize the role of sensors and sensor nodes in WSNs for gathering and communicating the data. In the fourth section, we extend this work by introducing the main security issues posed to data in mobile robots. Our conclusions are drawn in the end. As this paper generally describes and points out the main problems related to data in mobile robots, further analysis is planned for future work.

Paper Nr: 12
Title:

Protecting Privacy during a Pandemic Outbreak

Authors:

Karsten Martiny, Linda Briesemeister, Grit Denker, Mark S. John and Ron Moore

Abstract: Respecting privacy is a major challenge when sharing data among enterprises. Because of the high stakes and complexity, enterprises need expressive and clear methods for defining tailored data sharing so that they can share the right information with the right partners with confidence. This paper describes a privacy-oriented declarative policy framework together with an intuitive user interface to manage data sharing policies. It introduces a use case about a pandemic outbreak, in which the system can be used to share relevant information with partners to ensure that help can be coordinated quickly and effectively, while at the same time ensuring that the privacy of individuals remains protected and not sharing overly widely. A set of privacy policies is introduced to describe how the policy system can meet these requirements.

Paper Nr: 13
Title:

Enhanced Information Management in Inter-organisational Planning for Critical Infrastructure Protection: Case and Framework

Authors:

Christine Große

Abstract: This paper develops an analytical framework to assess information in planning for critical infrastructure protection (CIP). Critical infrastructure concerns various societal functions that ensure the daily life, endurance and progress of societies. Thus, CIP involves a considerable number of actors in a multi-level planning that relies on inter-organisational information sharing. Based on a Swedish case of CIP, this study aims to foster information assessment and management that bridge the inherent conflicts between information sharing and information security in CIP. Analyses of the information alongside the Swedish STYREL process first exemplify crucial deficiencies in the inter-organisational, national emergency response planning and then specify a set of dimensions and attributes as baseline for assessing information and information processing in CIP. Four stages in the Swedish approach cause a filtering and altering of information that affect the quality of decisions alongside the process and the emergency response plan that relies on them. By assessing the information basis in this large-scale approach, the paper contributes evidence-based foundations for information management in inter-organisational settings, such as the multi-level planning for CIP.

Paper Nr: 14
Title:

Model-based Threat and Risk Assessment for Systems Design

Authors:

Avi Shaked and Yoram Reich

Abstract: Integrating cybersecurity considerations in the design of modern systems is a significant challenge. As systems increasingly rely on connectivity and software to perform, cybersecurity issues of confidentiality, integrity and availability emerge. Addressing these issues during the design of a system – a security by-design approach – is desirable, and considered preferable to patching an existing design with extraneous components and mechanisms. In this paper, we present a model-based methodology for cybersecurity related systems design. This field-proven methodology takes into consideration cybersecurity threats alongside the system’s composition and existing mechanisms, in order to communicate, assess and drive the incorporation of security controls into the system design. We discuss aspects of the methodology’s design and how it relates to its real-life applications and usage context.

Paper Nr: 21
Title:

Remote WebAuthn: FIDO2 Authentication for Less Accessible Devices

Authors:

Paul Wagner, Kris Heid and Jens Heider

Abstract: Nowadays, passwords are the prevalent authentication mechanism, even though it is proven to offer insufficient protection against cyber crime. Thus, FIDO2 was released with a more secure authentication mechanism. FIDO2 enables authentification with cryptographic hardware, such as USB sticks, NFC cards or in the smartphone integrated chips. A device with FIDO2 support is required to implement the whole FIDO2 stack and offer the required interfaces for the security hardware. However, many systems like for example Smart TVs can not make use of FIDO2 due to the lack of HW interfaces or the usage of outdated software. To overcome this, we present Remote WebAuthn, which enables secure authentification on such restricted devices through a remote authentication from a secondary, FIDO2 compatible device, such as a smartphone. We evaluate our approach to have better usability compared to FIDO2 while maintaining most security advantages.

Paper Nr: 28
Title:

Field Studies on the Impact of Cryptographic Signatures and Encryption on Phishing Emails

Authors:

Stefanie Pham, Matthias Schopp, Lars Stiemert, Sebastian Seeber, Daniela Pöhn and Wolfgang Hommel

Abstract: Phishing is a type of scam designed to steal users’ personal information, e.g. passwords, credit card information, or other account details. Phishing websites look similar to legitimate ones, making it difficult for users to differentiate between them. Phishing attacks are constantly being improved and the range of techniques used are continuously expanded. Signatures and encryption in emails are security mechanisms that phishers could attempt to misuse. This paper analyses the potential of these methods. Two comparative studies on the effect of Pretty Good Privacy (PGP) signatures and encryption in phishing mails were conducted. The effect was analysed in social and security-related contexts and with computer-savvy as well as regular recipients. We examined the factors computer experience, signature, encryption, signature and encryption, as well as interaction between computer experience and signatures. The results indicate a potential for misuse. Observations made during this study are stated along with future work.

Paper Nr: 30
Title:

Towards a Formalisation of Expert’s Knowledge for an Automatic Construction of a Vulnerability Model of a Cyberphysical System

Authors:

Witold Klaudel and Artur Rataj

Abstract: We present a method for a quantitative formulation of the knowledge of security experts, to be used in an evaluation of attack costs in a cyberphysical system. In order to make the formulation practical, we classify the attacker forms and its attack positions. Applying boiler-plate patterns, like that of an operating system, is also possible. The obtained cost model may allow an exhaustive analysis of hypothetical weaknesses, employed in the design phase of a critical system.

Paper Nr: 31
Title:

A Novel Simplified Framework to Secure IoT Communications

Authors:

Sairath Bhattacharjya and Hossein Saiedian

Abstract: IoT devices are already in the process of becoming an essential part of our everyday lives. These devices specialize in performing a single operation efficiently. To maintain the privacy of user data, securing communication with these devices is essential. The plug-pair-play (P3) connection model uses the ZIP (zero interaction pairing) technique to set up a secured key for every pair of user and device so that the user doesn’t have to remember a complicated password. The command execution model provides an authentication mechanism for every transaction. Routing the transactions through the gateway allows for auditing, providing a zero-trust environment. The zero-trust (ZT) model described in this paper addresses confidentiality, integrity, and authentication triad of cybersecurity while ensuring that the interactions with these devices are seamless. The architecture described in this article makes security a backbone. The model described in this paper provides an end-to-end framework to secure the communication with these smart devices in a cloud-based architecture respecting the resource limitation of these devices. A novel simplified framework to secure IoT communication.

Paper Nr: 48
Title:

Study of Intra- and Inter-user Variance in Password Keystroke Dynamics

Authors:

Blaine Ayotte, Mahesh K. Banavar, Daqing Hou and Stephanie Schuckers

Abstract: Keystroke dynamics study how users input text via their keyboards. Having the ability to differentiate users, typing behaviors can unobtrusively form a component of a behavioral biometric recognition system to improve existing account security. However, because keystroke dynamics is behavioral biometric typing patterns can change over time. The temporal effects of keystroke dynamics are largely unstudied beyond empirically demonstrating that error rates will be higher for old or outdated profiles. In this paper, the effects on typing patterns over time is investigated in detail. Using a well-known fixed-text keystroke dynamics dataset, we show overall typing time for a provided password “.tie5Roanl” changes significantly over time, decreasing by almost 30%. Principal component analysis (PCA) is used to determine which monographs and digraphs tend to change throughout time. Rarely typed features, such as digraphs with a letter and number, are most likely to change over time, while commonly occurring features such as common digraphs and monographs are much more stable.

Paper Nr: 51
Title:

Windows Malware Binaries in C/C++ GitHub Repositories: Prevalence and Lessons Learned

Authors:

William L. Cholter, Matthew Elder and Antonius Stalick

Abstract: Does malware lurking in GitHub pose a threat? GitHub is the most popular open source software website, having 188 million repositories. GitHub hosts malware-related projects for research and educational purposes and has also been used by malware to attack users. In this paper, we explore the prevalence of unencrypted, uncompressed binary code malware in Microsoft Windows compatible C and C++ GitHub repositories and characterize the threat. We mined 1,835 repositories for already-compiled malicious files and data suggesting whether the repository is malware-related. We focused on these repositories because Windows is frequently targeted by malware written in C or C++. These repositories are good resources for attackers and could target Windows users. We extracted all Portable Executable (PE) files from all commits and queried the malware resource VirusTotal for analysis from its 76 anti-virus engines. Of the 24,395 files, 4,335 are suspicious, with at least one detection; 440 could be considered malicious, with at least seven detections. We identify topic tags suggesting malware or offensive security content, to differentiate from seemingly benign repositories. 197 of 440 malicious executables were in 27 ostensibly benign repositories. This work illustrates risks in source code repositories and lessons learned in relating GitHub and VirusTotal data.

Paper Nr: 55
Title:

Implementation of Secondary Available Digital Content Protection Schemes using Identity-based Signatures

Authors:

Nozomi Nagashima, Masaki Inamura and Keiichi Iwamura

Abstract: User generated content (UGC) is widespread, wherein general consumers utilize the Internet to generate content files. Using this service, content files can be easily created and uploaded. However, copyright is often not protected on the Internet. An activity known as a creative commons license enables authors to manage the secondary use of original content files. However, this license cannot prevent malicious editors from using the original files. Therefore, we propose technical protection measures using the creative commons license and identity-based signature, wherein authors apply identity-based signatures to content files that need to be protected. By verifying the signature, malicious edits performed on the files can be detected. We investigated the processing speed required for this via simulation and used the 3DCG movie editing tool "Miku Miku Dance" as the content files.

Paper Nr: 56
Title:

Towards an Ontology for Enterprise Level Information Security Policy Analysis

Authors:

Debashis Mandal and Chandan Mazumdar

Abstract: Securing the information and ICT assets in an enterprise is a vital as well as a challenging task because of the increase in cyber-attacks. Information Security policies are designed for an enterprise to prevent security breaches. An enterprise needs to adhere to and abide by the policies for its disciplined functioning. Analysis of the policies is necessary to find their applicability, conflict detection, revision and compliance checking for the enterprise. To analyze the policies, it is necessary to decompose them into its constituent parts. This decomposition is facilitated by ontologies. An in-depth analysis of the policy decomposition show that the published information security ontologies are grossly inadequate for any policy analysis application. In this paper we present an approach for development of an ontology specifically for information security policy analysis. The structure of the ontology and its implementation are presented and the importance of this ontology in information security policy analysis is established.

Paper Nr: 59
Title:

Enabling Monetization of Depreciating Data on Blockchains

Authors:

Christian Dahdah, Coline Van Leeuwen, Ziad Kheil, Jérôme Lacan, Jonathan Detchart and Thibault Gateau

Abstract: In this paper, we introduce a protocol to securely exchange data on chain while varying its price according to their freshness, maturity and lifetime. The exchange protocol, implemented as a smart contract, is best applied to crowdsourcing systems for fast depreciating digital goods, in which information is publicly shared after a given delay. The smart contract acts as a trusted intermediary to make sure that the funds of a client are delivered to the provider if and only if the data were really transferred. It also ensures that the data will be freely shared on the blockchain when the data has sufficiently depreciated. We demonstrate our work with an available prototype for specific space tracking data exchange.4

Paper Nr: 65
Title:

Understanding How People Weigh the Costs and Benefits of using Facebook

Authors:

Jack McClary and Sid Stamm

Abstract: Much work in privacy focuses on educating a system’s users so they will be better armed to take action based on the benefits and drawbacks of how their data is treated. Intuitively, this makes sense; one may expect people who perceive more benefit than risk in a system will elect to use it, but our research shows that is commonly not the case. We surveyed users of a social network to quantify what they perceive as the benefits and drawbacks of the platform. Given their net “value” perceived, we would have expected those who see mostly drawbacks (or a net cost) in its use to abandon the platform for a more privacy-preserving alternative. What we found was that only 62% of individuals we surveyed acted so rationally—the remainder either chose to use a platform they felt had a negative impact on their life, or chose to abandon one that served them favorably. This result indicates there are strong factors beyond rational cost/benefit analysis that lead people to decide what social platforms they use. This means that privacy professionals must focus not only on building transparency and choice, but also constructing viable alternatives so people do not feel pressured into using a platform they see as a net loss of personal privacy.

Paper Nr: 72
Title:

Efficient Semantic Representation of Network Access Control Configuration for Ontology-based Security Analysis

Authors:

Florian Patzer and Jürgen Beyerer

Abstract: Assessing countermeasures and the sufficiency of security-relevant configurations within networked system architectures is a very complex task. Even the configuration of single network access control (NAC) instances can be too complex to analyse manually. Therefore, model-based approaches have manifested themselves as a solution for computer-aided configuration analysis. Unfortunately, current approaches suffer from various issues like coping with configuration-language heterogeneity or the analysis of multiple NAC instances as one overall system configuration, which is the case for the maturity of analysis goals. In this paper, we show how deriving and modelling NAC configurations’ effects solves the majority of these issues by allowing generic and simplified security analysis and model extension. The paper further presents the underlying modelling strategy to create such configuration effect representations (hereafter referred to as effective configuration) and explains how analyses based on previous approaches can still be performed. Moreover, the linking between rule representations and effective configuration is demonstrated, which enables the tracing of issues, found in the effective configuration, back to specific rules.

Paper Nr: 81
Title:

HyperPass: Secure Password Input Platform

Authors:

Michael Kiperberg and Nezer J. Zaidenberg

Abstract: Confidential information, like passwords and credit card numbers, travel from the user’s local machine to a remote server via secure communication protocols. Whereas remote servers are serviced by security specialists, local machines are more vulnerable to memory attacks and keyloggers. To counter these attacks we propose a secure password input platform, called HyperPass, which is based on a thin hypervisor. The thin hypervisor acts as an isolated and secure environment for entering and encrypting user’s confidential information. HyperPass uses the keyboard’s scroll lock LED as a security indicator. Our evaluation shows that the performance overhead of HyperPass is insignificant (≈ 2.79%).

Paper Nr: 84
Title:

Detecting Cyber Security Attacks against a Microservices Application using Distributed Tracing

Authors:

Stephen Jacob, Yuansong Qiao and Brian Lee

Abstract: Microservices are emerging as the dominant software design architecture for many different applications, and cyber attacks are targeting more software organisations every day. Newer techniques for detecting cyber intrusions against such applications are in high demand. Application functionality that is executed within a microservices application can be monitored and logged using distributed tracing. Distributed tracing is normally used for performance management of microservices applications. In this paper, we used distributed tracing for detecting cyber-security attacks. Each microservice call, or sequence of calls, executed in response to a request by an end user of the application is logged as a trace. Anomaly detection is a means of detecting irregular or unusual events or patterns in a data set that occur to a greater or a lesser degree than the majority of the data. In this paper, we present initial work that identifies anomalous distributions of traces. A frequency distribution of traces is obtained from normal data and traffic is identified as an anomaly candidate if it differs sufficiently from the base distribution. This approach is evaluated using a password guessing attack. In addition, we briefly discuss a NoSQL injection attack which we argue is difficult to detect using trace data.

Paper Nr: 89
Title:

Leveraging Dynamic Information for Identity and Access Management: An Extension of Current Enterprise IAM Architecture

Authors:

Alexander Puchta, Sebastian Groll and Günther Pernul

Abstract: Identity and access management (IAM) functions as a core component for today’s enterprises managing digital identities and their access to resources. However, IAM systems are quite isolated from other applications with useful information resulting in individual data pots. By interconnecting these systems, important information on relevant IAM entities like criticality or usage information can be additionally gathered for further improvement. Current IAM landscapes within enterprises are not prepared for such challenges as the data needs to be harmonised, analysed, and verified. Within this work a state-of-the-art IAM architecture in enterprises and existing shortcomings are defined. Based on these, an extended IAM architecture scheme is proposed and described in detail. Key component is the integration of additional information sources for mutual benefit in IAM and external applications. Finally, the approach is applied to two use cases based on real data. They originate from our conducted IAM projects and show the feasibility of the proposed architecture.

Paper Nr: 90
Title:

Dreaming of Keys: Introducing the Phantom Gradient Attack

Authors:

Åvald Å. Sommervoll

Abstract: We introduce a new cryptanalytical attack, the phantom gradient attack. The phantom gradient attack is a key recovery attack that draws its foundations from machine learning and backpropagation. This paper provides the first building block to a full phantom gradient attack by showing that it is effective on simple cryptographic functions. We also exemplify how the attack could be extended to attack some of ASCONs’ permutations, the cryptosystem that won CAESAR the competition for authenticated encryption: security, applicability, and robustness.

Paper Nr: 94
Title:

Evaluation of Vulnerability Reproducibility in Container-based Cyber Range

Authors:

Ryotaro Nakata and Akira Otsuka

Abstract: The cyber range is a practical and highly educational information security exercise system, but it has not been widely used due to its high introduction and maintenance costs. Therefore, there is a need for a cyber range that can be adopted and maintained at a low cost. Recently, container type virtualization is gaining attention as it can create a high-speed and high-density exercise environment. However, existing researches have not clearly shown the advantages of container virtualization for building exercise environments. Moreover, it is not clear whether sufficient vulnerabilities are reproducible, required to conduct incident scenarios in the cyber range. In this paper, we compare container virtualization with existing virtualization type and confirm that the amount of memory, CPU, and storage consumption can be reduced to less than 1/10 of the conventional virtualization methods. We also compare and verify the reproducibility of the vulnerabilities used in common exercise scenarios and confirm that 99.3% of the vulnerabilities are reproducible. The container-based cyber range can be used as a new standard to replace existing methods.

Paper Nr: 96
Title:

A Dynamic Access Control System based on Situations of Users

Authors:

Hirokazu Hasegawa and Hiroki Takakura

Abstract: Recently, cyber attacks have been sophisticated and cause serious damages. As one of the solutions for mitigating the damages, the network separation and fine granularity of access controls are effective against attacks. However, the COVID-19 changes human work style, and telecommuting comes to be generally. It may give many chances to attackers for invading the organization’s internal network by infecting user’s vulnerable home terminals, which are out of control by the organization. To ensure the security of organizations, we propose a dynamic access control system based on the situations of users. The system evaluates communications based on the user’s risk and the importance of resources in destination terminals. When a user connects to the organization network from the outside, the system dynamically changes the access controls according to the evaluation results. The such situation requires stricter access controls than usual ones. For example, the communication by the high-risk user and the communication to servers storing important resources are restricted. By applying such dynamic access controls, the system enables us to ensure our network security with maintaining the convenience of users telecommuting.

Paper Nr: 101
Title:

An Overview of Cryptographic Accumulators

Authors:

Ilker Ozcelik, Sai Medury, Justin Broaddus and Anthony Skjellum

Abstract: This paper contributes a primer on cryptographic accumulators and how to apply them practically. A cryptographic accumulator is a space- and time-efficient data structure used for set membership tests. Since it is possible to represent any computational problem where the answer is yes or no as a set-membership problem, cryptographic accumulators are invaluable data structures in computer science and engineering. But, to the best of our knowledge, there is neither a concise survey comparing and contrasting various types of accumulators nor a guide for how to apply the most appropriate one for a given application. Therefore, we address that gap by describing cryptographic accumulators while presenting their fundamental and so-called optional properties. We discuss the effects of each property on the given accumulator’s performance in terms of space and time complexity, as well as communication overhead.

Paper Nr: 103
Title:

Securing Orchestrated Containers with BSI Module SYS.1.6

Authors:

Christoph Haar and Erik Buchmann

Abstract: Orchestrated container virtualization, such as Docker/Kubernetes, is an attractive option to transfer complex IT ecosystems into the cloud. However, this is associated with new challenges for IT security. A prominent option to secure IT infrastructures is to use security guidelines from agencies, such as Germany’s Federal Office for Information Security. In this work, we analyze the module ”SYS.1.6 Container” from this agency. We want to find out how suitable this module is to secure a typical Kubernetes scenario. Our scenario is a classical 3-tier architecture with front end, business logic and database-back end. We show that with orchestration, the protection needs for the entire Kubernetes cluster in terms of confidentiality, integrity and availability automatically become ”high” as soon as a sensitive data object is processed or stored in any container. Our analysis has shown that the SYS.1.6 module is generally suitable. However, we have identified three additional threats. Two of them could be exploited automatically, as soon as a respective vulnerability appears.