2019 12th CMI Conference on Cybersecurity and Privacy (CMI)最新文献

{"title":"Privacy in the toolbox of freedom","authors":"Mandy Balthasar, Armin Gerl","doi":"10.1109/CMI48017.2019.8962146","DOIUrl":"https://doi.org/10.1109/CMI48017.2019.8962146","url":null,"abstract":"A life can be mastered by digital processes in a world that is always incomplete due to its complexity, only by balancing. An ethical balancing act within the framework of Poppers' trilemma of open society. This is accompanied by another tightrope act between privacy, which is made visible, and privacy, which is technically implemented. In a social, digitally transformed data culture, privacy is always subjective from the user's point of view, which is why the degree of protection must be individually adaptable. As a key element between users, companies (technologies) and the legal frameworks, privacy languages should serve to give the user the freedom to control and manage transparency from consent to processing over his data within the framework of an order, if he wishes so. But also to be able to introduce criticism in order to be able to change previously defined conditions and thus flexibly meet the technical and moral change. Privacy is to be understood as a mediator of reciprocal sympathy and tolerance between data provider and data recipient, which can be implemented by means of a Privacy Language.","PeriodicalId":142770,"journal":{"name":"2019 12th CMI Conference on Cybersecurity and Privacy (CMI)","volume":"64 6","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"120939382","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A Survey on Privacy Policy Languages: Expressiveness Concerning Data Protection Regulations","authors":"Jens Leicht, M. Heisel","doi":"10.1109/CMI48017.2019.8962144","DOIUrl":"https://doi.org/10.1109/CMI48017.2019.8962144","url":null,"abstract":"Privacy policies are a widely used way of expressing the data handling by service providers. However, the legalese used in these documents hinders many users in understanding the important information about what is happening with their data. A privacy policy language and corresponding easy to understand visualization can help users in understanding these policies. In this survey we compare 18 policy languages that can be used in the context of privacy policies. The focus of this survey lies on compatibility with legislation like the General Data Protection Regulation of the European Union and the formalization of such language,","PeriodicalId":142770,"journal":{"name":"2019 12th CMI Conference on Cybersecurity and Privacy (CMI)","volume":"35 9","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132900155","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"[Front matter]","authors":"","doi":"10.1109/cmi48017.2019.8962133","DOIUrl":"https://doi.org/10.1109/cmi48017.2019.8962133","url":null,"abstract":"","PeriodicalId":142770,"journal":{"name":"2019 12th CMI Conference on Cybersecurity and Privacy (CMI)","volume":"70 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132663634","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Privacy-Preserving Collaborative Data Anonymization with Sensitive Quasi-Identifiers","authors":"Kok-Seng Wong, Nguyen Anh Tu, Dinh-Mao Bui, S. Ooi, M. Kim","doi":"10.1109/CMI48017.2019.8962140","DOIUrl":"https://doi.org/10.1109/CMI48017.2019.8962140","url":null,"abstract":"Collaborative anonymization deals with a group of respondents in a distributed environment. Unlike in centralized settings, no respondent is willing to reveal his or her records to any party due to the privacy concerns. This creates a challenge for anonymization, and it requires a level of trust among respondents. In this paper, we study a collaborative anonymization protocol that aims to increase the confidence of respondents during data collection. Unlike in existing works, our protocol does not reveal the complete set of quasi-identifier (QID) to the data collector (e.g., agency) before and after the data anonymization process. Because QID can be both sensitive values and identifying values, we allow the respondents to hide sensitive-QID attributes from other parties. Our protocol ensures that the desired protection level (i.e., k-anonymity) can be verified before the respondents submit their records to the agency. Furthermore, we allow honest respondents to indict a malicious agency if it modifies the intermediate results or not following the protocol faithfully.","PeriodicalId":142770,"journal":{"name":"2019 12th CMI Conference on Cybersecurity and Privacy (CMI)","volume":"27 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122443738","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A Social Economic Analysis of the Impact of GDPR on Security and Privacy Practices","authors":"Roslyn Layton, S. Elaluf-Calderwood","doi":"10.1109/CMI48017.2019.8962288","DOIUrl":"https://doi.org/10.1109/CMI48017.2019.8962288","url":null,"abstract":"The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have been presented by many policymakers as fundamental, welfare enhancing policies. While individuals value privacy, these policies require significant up front and ongoing investment by firms. For example, an analysis commissioned by the California Department of Justice's Office of the Attorney General estimates 14:1 cost to benefit ratio. No such analysis could be found from EU authorities for the GDPR. Sweeping regulatory regimes can create unintended consequences. This paper offers a brief introduction to the new cybersecurity challenges created by the GDPR and CCPA within firms and in the larger Internet ecosystem. As a result of the regulation, firms face many challenges to comply with costly and complex rules, broad definitions of personally identifiable information (PII), and increased risk of fee and/or lawsuit for violations, vulnerabilities, and lack of compliance. Since the promulgation of the GDPR, important security side effects have reported including the blocking of public information in the WHOIS internet protocol database, identity theft through the hacking of the Right to Access provision (Article 15) and other provisions, and the proliferation of network equipment with security and privacy vulnerabilities. The paper also offers a brief overview of the Gordon-Loeb (GL) model used for calculating the optimal investment in cybersecurity. [1] A preliminary data set is offered to examine the difficulty of estimating the cost of cybersecurity investment in light of the GDPR. Notably, the value of the European Union's data economy was estimated to be €300 billion in 2016 [2]. The given GL model would suggest that the optimal investment to protect data would be €13.2 billion. The actual European cyber spend was some €15 billion in 2015, [3] a slightly higher number which covers the EU plus additional European countries, suggesting that the GL model some applicability. There are limited GL type models and tools to guide data protection or privacy investments, and given the emergence of new data protection expectations, it is worth investigating how and whether firms can deliver both sets of expenditures and to what degree. The low level of GDPR compliance suggests that a workable equation of data protection is still not clear for most firms.","PeriodicalId":142770,"journal":{"name":"2019 12th CMI Conference on Cybersecurity and Privacy (CMI)","volume":"78 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128379064","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Privacy Analysis of Format-Preserving Data-Masking Techniques","authors":"Zaruhi Aslanyan, M. Boesgaard","doi":"10.1109/CMI48017.2019.8962143","DOIUrl":"https://doi.org/10.1109/CMI48017.2019.8962143","url":null,"abstract":"With the growing number of regulations and concerns regarding data privacy, there is an increasing need for protecting Personally Identifiable Information (PII). A widely-used approach to protect PII is to apply data-masking techniques in order to remove or hide the identities of the individuals referred to in the data under investigation. A particular class of data-masking techniques aims at preserving the format of the source data, so as to allow using encoded data where the corresponding source is expected, thereby minimising application changes to perform tasks such as statistical analysis or testing. Various encoding techniques are used to protect data privacy while preserving the format, including Format-Preserving Encryption (FPE) and masking out. Even though convenient, preserving the format of data might lead to re-identification attacks. In this paper, we discuss the vulnerabilities of data-masking techniques that preserve the format of data and analyse their security and privacy properties. We investigate two industrial datasets and quantify the potential data privacy leakage that could arise from using inappropriate data masking techniques.","PeriodicalId":142770,"journal":{"name":"2019 12th CMI Conference on Cybersecurity and Privacy (CMI)","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133808488","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Prioritization methodology of computing assets for connected vehicles in security assessment purpose","authors":"A. Barinov, N. Davydkin, Daria V. Sharova, Sergey V. Skurlaev","doi":"10.1109/CMI48017.2019.8962145","DOIUrl":"https://doi.org/10.1109/CMI48017.2019.8962145","url":null,"abstract":"The paper is devoted to a preparation for security assessment of connected vehicles, prioritization points of attacks on structural elements in particular. Described approach is based on quality assessment of developed components and their accordance with model of attacker. Important feature of methodology concludes in evaluation of each informational flow criticality interacting with component. The conclusion indicates the advantages of the developed approach and describes its disadvantages, if approach is implemented on elements, built by the AUTOSAR architecture basis.","PeriodicalId":142770,"journal":{"name":"2019 12th CMI Conference on Cybersecurity and Privacy (CMI)","volume":"31 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132246201","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Electronic Voting Recording System Based on Blockchain Technology","authors":"Samuel Agbesi, George Asante","doi":"10.1109/CMI48017.2019.8962142","DOIUrl":"https://doi.org/10.1109/CMI48017.2019.8962142","url":null,"abstract":"Blockchain has been said to be one of the technologies for the future, and researchers have argued that this technology is going to disrupt many industries in the coming years, and democratic elections are one of the key areas blockchain is going to transform. Several organizations have begun experimenting on blockchain-enabled e-voting platforms, such as Democratic Earth, Horizon State and Follow My Vote. This study seeks to conceptualize a blockchain architecture for the storage of election results that provide trust, transparency, and immutability using distributed ledger technology (DLT). One of the main issues with elections in Ghana and other sub-Saharan African countries is the inaccurate recording of votes from polling stations, constituencies and at the national office. There are instances where votes recorded at the polling station changes at the constituencies either intentionally or accidentally. The study discussed the basic properties of the blockchain, such as distributed ledger, consensus mechanisms and cryptographic hash function, and how it can be used to address the current challenges in vote recording during elections. The study evaluates current blockchain-enabled e-voting systems and designs a blockchain-based vote recording system that provides immutability, trust, and transparency. The proposed design addresses the issues of vote tempering because transactions added to the block are secure with a cryptographic hash function which makes tempering of the votes stored in the blockchain nearly impossible and make it immutable.","PeriodicalId":142770,"journal":{"name":"2019 12th CMI Conference on Cybersecurity and Privacy (CMI)","volume":"68 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129029526","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Demystifying the Membership Inference Attack","authors":"Paul Irolla, G. Châtel","doi":"10.1109/CMI48017.2019.8962136","DOIUrl":"https://doi.org/10.1109/CMI48017.2019.8962136","url":null,"abstract":"The Membership Inference Attack (MIA) is the process of determining whether a sample comes from the training dataset (in) of a machine learning model or not (out). This attack makes use of a trained machine learning to expose confidential information about its training data. It is particularly alarming in cases where data is tightly linked to individuals like in the medical, financial and marketing domains. The underlying factors of the success of MIA are not well understood. The current theory explains its success by the difference in the confidence levels for in samples and out samples. In this article, we show that the confidence levels play little to no role in the MIA success in most of the cases. We propose a more general theory that explains previous results and some unexpected observations that have been made in the state-of-the-art. To back up our theory, we run MIA exneriments on MNIST, CIFAR-10 and Fashion-MNIST.","PeriodicalId":142770,"journal":{"name":"2019 12th CMI Conference on Cybersecurity and Privacy (CMI)","volume":"4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127939637","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Brightness: Leaking Sensitive Data from Air-Gapped Workstations via Screen Brightness","authors":"Mordechai Guri, Dima Bykhovsky, Y. Elovici","doi":"10.1109/CMI48017.2019.8962137","DOIUrl":"https://doi.org/10.1109/CMI48017.2019.8962137","url":null,"abstract":"Air-gapped computers are systems that are kept isolated from the Internet since they store or process sensitive information. In this paper, we introduce an optical covert channel in which an attacker can leak (or, exfiltlrate) sensitive information from air-gapped computers through manipulations on the screen brightness. This covert channel is invisible and it works even while the user is working on the computer. Malware on a compromised computer can obtain sensitive data (e.g., files, images, encryption keys and passwords), and modulate it within the screen brightness, invisible to users. The small changes in the brightness are invisible to humans but can be recovered from video streams taken by cameras such as a local security camera, smartphone camera or a webcam. We present related work and discuss the technical and scientific background of this covert channel. We examined the channel's boundaries under various parameters, with different types of computer and TV screens, and at several distances. We also tested different types of camera receivers to demonstrate the covert channel. Lastly, we present relevant countermeasures to this type of attack.","PeriodicalId":142770,"journal":{"name":"2019 12th CMI Conference on Cybersecurity and Privacy (CMI)","volume":"78 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127010557","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}