发布求助
文献互助 智能选刊 最新文献

2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)最新文献

筛选
英文 中文
Secure Key Management for Multi-Party Computation in MOZAIK MOZAIK中多方计算的安全密钥管理
2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) Pub Date : 2023-07-01 DOI: 10.1109/EuroSPW59978.2023.00020
Enzo Marquet, Jerico Moeyersons, Erik Pohle, Michiel Van Kenhove, Aysajan Abidin, B. Volckaert
{"title":"Secure Key Management for Multi-Party Computation in MOZAIK","authors":"Enzo Marquet, Jerico Moeyersons, Erik Pohle, Michiel Van Kenhove, Aysajan Abidin, B. Volckaert","doi":"10.1109/EuroSPW59978.2023.00020","DOIUrl":"https://doi.org/10.1109/EuroSPW59978.2023.00020","url":null,"abstract":"The immense growth of data from the proliferation of Internet of Things (IoT) devices presents opportunities and challenges for privacy engineering. On the one hand, this data can be harnessed for personalized services, cost savings, and environmental benefits. On the other hand, (new) legislation must be complied with and privacy risks arise from collecting and processing of such data. Distributed privacy-preserving analytics offers a promising solution, providing insights while also protecting privacy. However, this approach has new challenges and risks, such as key management and confidentiality. When designing a data marketplace which offers distributed privacy-preserving analytics, the key management comes with different threats, which require a solution adapted to the distributed architecture.In this context, the paper presents a comprehensive, end-to-end secure system called MOZAIK for privacy-preserving data collection, analysis, and sharing. The article focuses on the key management aspect of the secure multi-party computation (MPC) component in a distributed privacy-preserving analytics architecture and the specific challenges created by introducing MPC. The proposed solution involves temporary storage of (symmetric) key shares and public-key encryption schemes to ensure secure key management for privacy-preserving computation. Our solution has the potential to be applied in other MPC-based setups, making it a valuable addition to the field of privacy engineering. By addressing key management challenges and risks, MOZAIK enhances data protection while enabling valuable insights from IoT data.","PeriodicalId":220415,"journal":{"name":"2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"64 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126770511","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth 将人为因素作为纵深防御的核心要素,重新构想工业控制系统的安全
2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) Pub Date : 2023-07-01 DOI: 10.1109/EuroSPW59978.2023.00048
J. Pottebaum, Jost Rossel, Juraj Somorovsky, Y. Acar, René Fahr, Patricia Arias Cabarcos, E. Bodden, I. Gräßler
{"title":"Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth","authors":"J. Pottebaum, Jost Rossel, Juraj Somorovsky, Y. Acar, René Fahr, Patricia Arias Cabarcos, E. Bodden, I. Gräßler","doi":"10.1109/EuroSPW59978.2023.00048","DOIUrl":"https://doi.org/10.1109/EuroSPW59978.2023.00048","url":null,"abstract":"The security of Industrial Control Systems is relevant both for reliable production system operations and for high-quality throughput in terms of manufactured products. Security measures are designed, operated and maintained by different roles along product and production system lifecycles. Defense-in-Depth as a paradigm builds upon the assumption that breaches are unavoidable. The paper at hand provides an analysis of roles, corresponding Human Factors and their relevance for data theft and sabotage attacks. The resulting taxonomy is reflected by an example related to Additive Manufacturing. The results assist in both designing and redesigning Industrial Control System as part of an entire production system so that Defense-in-Depth with regard to Human Factors is built in by design.","PeriodicalId":220415,"journal":{"name":"2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"62 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125050330","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
U-Sense: Feasibility Study of “Human as a Sensor” in Incident Reporting Systems in a Smart Campus U-Sense:“人作为传感器”在智慧校园事件报告系统中的可行性研究
2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) Pub Date : 2023-07-01 DOI: 10.1109/EuroSPW59978.2023.00075
Naoom Abu Abah, N. Taylor, C. Morisset, M. Mehrnezhad
{"title":"U-Sense: Feasibility Study of “Human as a Sensor” in Incident Reporting Systems in a Smart Campus","authors":"Naoom Abu Abah, N. Taylor, C. Morisset, M. Mehrnezhad","doi":"10.1109/EuroSPW59978.2023.00075","DOIUrl":"https://doi.org/10.1109/EuroSPW59978.2023.00075","url":null,"abstract":"The “Human as a Sensor” paradigm provides a way of leveraging the power of individuals’ observations to benefit situational awareness via monitoring, incident detection and reporting potential issues to responsible authorities. Our research explores the feasibility of using this approach to improve situational awareness in a smart campus by prompting building occupants to perform routine checks for potential problems with building facilities. We present a feasibility study of an interactive reporting system prototype named “U-Sense” by conducting a real-world experiment for one month (n=21). Based on responses through the system and interviews with the participants, we assess the potential for this approach and propose a number of design implications for such systems including task-related aspects, human sensor availability preferences and participation motives.","PeriodicalId":220415,"journal":{"name":"2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"83 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115168121","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
The Peculiar Case of Tailored Phishing against SMEs: Detection and Collective DefenseMechanisms at a Small IT Company 针对中小企业的定制网络钓鱼的特殊案例:一家小型IT公司的检测和集体防御机制
2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) Pub Date : 2023-07-01 DOI: 10.1109/EuroSPW59978.2023.00031
Pavlo Burda, Abdul Malek Altawekji, Luca Allodi, Nicola Zannone
{"title":"The Peculiar Case of Tailored Phishing against SMEs: Detection and Collective DefenseMechanisms at a Small IT Company","authors":"Pavlo Burda, Abdul Malek Altawekji, Luca Allodi, Nicola Zannone","doi":"10.1109/EuroSPW59978.2023.00031","DOIUrl":"https://doi.org/10.1109/EuroSPW59978.2023.00031","url":null,"abstract":"Phishing attacks are increasingly more sophisticated, with attackers exploiting publicly available information on their targets to personalize their attacks. Although an increasing body of research has investigated the effectiveness of tailored phishing campaigns, researchers have primarily focused on large enterprises. Company size, composition, and resource availability (e.g., of security experts or a phishing response team handling incidents) play an important role in the studied dynamics. However, whether the same also applies to small and medium-sized enterprises (SMEs), which typically do not have those resources, is unclear. On the other hand, studying SME security is hard as they generally have no expertise in-house to run the required experiments. This work provides a first study filling this gap by investigating the effectiveness of tailored phishing campaigns against an SME IT company in Europe. To this end, we conducted a field experiment targeting 30 employees at an SME and, subsequently, interviewed nine employees to understand the cognitive processes underlying the detection and response of our phishing campaign as well as the group defense mechanisms at the SME. Our findings show that expectation mismatch was the primary method for detecting our phishing email and that the collective defense mechanism enabled a surprisingly prompt response and containment of the attack, possibly, due to the network dynamics of a small company.","PeriodicalId":220415,"journal":{"name":"2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"29 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116061408","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Tales from the Git: Automating the detection of secrets on code and assessing developers’ passwords choices Git的故事:自动检测代码中的秘密并评估开发人员的密码选择
2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) Pub Date : 2023-07-01 DOI: 10.1109/EuroSPW59978.2023.00013
Nikolaos Lykousas, C. Patsakis
{"title":"Tales from the Git: Automating the detection of secrets on code and assessing developers’ passwords choices","authors":"Nikolaos Lykousas, C. Patsakis","doi":"10.1109/EuroSPW59978.2023.00013","DOIUrl":"https://doi.org/10.1109/EuroSPW59978.2023.00013","url":null,"abstract":"Typical users are known to use and reuse weak passwords. Yet, as cybersecurity concerns continue to rise, understanding the password practices of software developers becomes increasingly important. In this work, we examine developers’ passwords on public repositories. Our dedicated crawler collected millions of passwords from public GitHub repositories; however, our focus is on their unique characteristics. To this end, this is the first study investigating the developer traits in password selection across different programming languages and contexts, e.g. email and database. Despite the fact that developers may have carelessly leaked their code on public repositories, our findings indicate that they tend to use significantly more secure passwords, regardless of the underlying programming language and context. Nevertheless, when the context allows, they often resort to similar password selection criteria as typical users. The public availability of such information in a cleartext format indicates that there is still much room for improvement and that further targeted awareness campaigns are necessary.","PeriodicalId":220415,"journal":{"name":"2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128741251","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
GLICE: Combining Graph Neural Networks and Program Slicing to Improve Software Vulnerability Detection GLICE:结合图神经网络和程序切片改进软件漏洞检测
2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) Pub Date : 2023-07-01 DOI: 10.1109/EuroSPW59978.2023.00009
Wesley de Kraker, H. Vranken, Arjen Hommmersom
{"title":"GLICE: Combining Graph Neural Networks and Program Slicing to Improve Software Vulnerability Detection","authors":"Wesley de Kraker, H. Vranken, Arjen Hommmersom","doi":"10.1109/EuroSPW59978.2023.00009","DOIUrl":"https://doi.org/10.1109/EuroSPW59978.2023.00009","url":null,"abstract":"This paper introduces the GLICE (Graph Neural Network with program slice) model for static code analysis to detect vulnerabilities in source code. GLICE combines inter-procedural program slicing with a Graph Neural Network. It builds upon and extends prior work that applies program slicing (as in the SySeVR model) and Graph Neural Networks (as in the FUNDED model) for vulnerability detection. We apply GLICE on a data set of C/C++ code samples with out-of-bounds write (CWE-787) and out-of-bounds read (CWE-125) butter overflow vulnerabilities. We perform experiments with GLICE to evaluate trade-offs in the depth of the inter-procedural analysis, and to compare GLICE with prior models by evaluating the effectiveness for vulnerability detection and the usage of resources. Our experimental results show that detection accuracy of GLICE improves up to 13% when compared to FUNDED, while the time required to train the GLICE model is about 9 times smaller. GLICE allows configuring the depth of the interprocedural analysis. Our experimental results show that increasing the depth will improve detection, which however requires more computing resources. This allows a user of GLICE to steer the trade-off between detection accuracy and computational efficiency.","PeriodicalId":220415,"journal":{"name":"2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"27 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114830062","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Visualizing Cyber-Threats in Underground Forums 可视化地下论坛中的网络威胁
2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) Pub Date : 2023-07-01 DOI: 10.1109/EuroSPW59978.2023.00032
James T. Burroughs, Michal Tereszkowski-Kaminski, Guillermo Suarez-Tangil
{"title":"Visualizing Cyber-Threats in Underground Forums","authors":"James T. Burroughs, Michal Tereszkowski-Kaminski, Guillermo Suarez-Tangil","doi":"10.1109/EuroSPW59978.2023.00032","DOIUrl":"https://doi.org/10.1109/EuroSPW59978.2023.00032","url":null,"abstract":"In this paper, we develop a language-agnostic methodology to extract features of interest to an analyst from forum posts and visualize them in a way which facilitates identification and stratification of areas of interest in the forums, as well as further manual analysis of the text. We then apply this methodology to a specific Russian underground forum. The visualization acts as a ‘thumbnail’ for individual posts, conveying semantic metadata of post contents. By viewing the thumbnail, an analyst is provided with an immediate ‘sense’ of post length and key features present within a post, as well as their frequency and spatial arrangement. Using the generated visualizations of posts from the underground forum we speed up analyst identification of post subject matter by up to 72%.As a key novelty, we propose that the image output of our method has fractal properties that can be exploited when sorting threats and extracting highly technical posts. Thus, we use a method based on the Minkowski-Bouligand fractal dimension to prioritize analysis of posts which represent more sophisticated threats.","PeriodicalId":220415,"journal":{"name":"2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"11 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114888467","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Privacy as an Architectural Quality: A Definition and an Architectural View 隐私作为一种架构质量:定义和架构观点
2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) Pub Date : 2023-07-01 DOI: 10.1109/EuroSPW59978.2023.00019
Immanuel Kunz, Shuqian Xu
{"title":"Privacy as an Architectural Quality: A Definition and an Architectural View","authors":"Immanuel Kunz, Shuqian Xu","doi":"10.1109/EuroSPW59978.2023.00019","DOIUrl":"https://doi.org/10.1109/EuroSPW59978.2023.00019","url":null,"abstract":"Software architects describe architectures from different perspectives to compare, document, and explain them to other stakeholders. Numerous views have been proposed in the past in the form of architectural models and modelling languages. However, these views do not sufficiently reflect privacy properties, making it difficult for architects to evaluate and compare design candidates.In this paper, we first define privacy as an architectural quality, and then propose a privacy-by-design architectural view which uses an extended data flow diagram to support the documentation, evaluation, and comparison of architecture designs. The view uses control domains, showing which entities actually control personal data in the design, and metrics that can quantify privacy aspects. We also present a method to create the view automatically from source code. This approach can be useful in the maintenance phase of the software lifecycle, as well as in agile development where source code and architecture are changed iteratively. The results can be integrated into the Attribute-Driven Design method, and can also be used to document design decisions, e.g., for future design support or a certification audit.","PeriodicalId":220415,"journal":{"name":"2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124185963","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Revisiting OAuth 2.0 Compliance: A Two-Year Follow-Up Study 重新审视OAuth 2.0合规性:一项为期两年的随访研究
2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) Pub Date : 2023-07-01 DOI: 10.1109/EuroSPW59978.2023.00064
Pieter Philippaerts, D. Preuveneers, W. Joosen
{"title":"Revisiting OAuth 2.0 Compliance: A Two-Year Follow-Up Study","authors":"Pieter Philippaerts, D. Preuveneers, W. Joosen","doi":"10.1109/EuroSPW59978.2023.00064","DOIUrl":"https://doi.org/10.1109/EuroSPW59978.2023.00064","url":null,"abstract":"OAuth 2.0 is a widely used authorization protocol that allows third-party access to an authorization service on behalf of a user. Like any security protocol, it requires careful implementation to ensure security. Previous research has thoroughly analyzed the security of the OAuth protocol, but popular deployments remain vulnerable due to incorrect or limited implementation of the standards. In our previous work, we introduced a tool called OAUCH to measure and improve compliance with the OAuth standards. We used the tool to measure the compliance of 100 OAuth implementations and created a unique overview of the state of practice within the OAuth ecosystem. This paper revisits these prior results and updates our measurements. We compare the latest results to the original baseline and identify changes in the ecosystem. Our analysis shows that IdPs have become more compliant in the past two years, but a substantial number still lack fundamental countermeasures.","PeriodicalId":220415,"journal":{"name":"2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"14 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128871754","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
The Case for Virtual PLC-enabled Honeypot Design 基于虚拟plc的蜜罐设计案例
2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) Pub Date : 2023-07-01 DOI: 10.1109/EuroSPW59978.2023.00044
S. Y. Chowdhury, Brandon Dudley, Ruimin Sun
{"title":"The Case for Virtual PLC-enabled Honeypot Design","authors":"S. Y. Chowdhury, Brandon Dudley, Ruimin Sun","doi":"10.1109/EuroSPW59978.2023.00044","DOIUrl":"https://doi.org/10.1109/EuroSPW59978.2023.00044","url":null,"abstract":"Programmable logic controllers (PLCs) are essential components of Industrial Control System (ICS) in acting as a practical link between the cyber and physical worlds. In recent years, we have seen an increase in attacks targeting PLCs. Honeypot for PLCs, as an effective technique to gather attacker information and attack tactics, is limited in vendor-specific implementation, configuration, extensibility, and scalability. With the emergence of virtual PLCs, this paper introduces a honeypot, named PLCHoney, to overcome the existing challenges in a cost-effective approach. We designed and implemented PLCHoney with a proxy profiler, dockerized virtual PLCs, a physical process simulator, and a security analysis engine. PLCHoney was able to correctly simulate responses to various internet requests and tested effectively on a network of virtualized traffic light applications. We enabled further security analysis with a dataset containing PLC I/O status, collected with and without attacks. We envision that PLCHoney paves the avenue for the future development of PLC-based honeypots.","PeriodicalId":220415,"journal":{"name":"2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128902629","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
首页 上一页 下一页 尾页
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术官方微信