2018 16th Annual Conference on Privacy, Security and Trust (PST)最新文献

{"title":"Privacy-Preserving Architectures with Probabilistic Guaranties","authors":"Kai Bavendiek, Robin Adams, S. Schupp","doi":"10.1109/PST.2018.8514160","DOIUrl":"https://doi.org/10.1109/PST.2018.8514160","url":null,"abstract":"Violations of the privacy of users can happen if data protection is not a fundamental part of the development process of a software system. The principle of Privacy by Design (PbD) therefore stipulates the consideration of privacy as a default feature. We have developed an integrated tool environment called CAPVerDE that provides a formal description language of software architectures and helps a designer by automatically verifying data minimization properties at the architectural level. Our logic includes probabilistic properties that introduce uncer- tainty into the architectures. These properties can be used to model attack scenarios that rely on chance. This paper presents the logic of the description language of CAPVerDE and illustrates the verification process by applying it to a smart energy metering scenario.","PeriodicalId":265506,"journal":{"name":"2018 16th Annual Conference on Privacy, Security and Trust (PST)","volume":"34 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133191378","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Evaluation and Development of Onomatopoeia CAPTCHAs","authors":"Michihiro Yamada, Riko Shigeno, Hiroaki Kikuchi, Maki Sakamoto","doi":"10.1109/PST.2018.8514155","DOIUrl":"https://doi.org/10.1109/PST.2018.8514155","url":null,"abstract":"The Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA) is a type of challenge–response test used for avoiding malicious software during automated registration. It plays an important role in security because fraud with computer agents is serious. The requirements of CAPTCHAs are: 1) a human can easily solve a CAPTCHA, 2) a computer cannot solve a CAPTCHA, and 3) CAPTCHAs can be generated automatically. As deep learning technology has been developed, many of the existing CAPTCHAs were compromised and fail to satisfy condition (2). In this study, we propose a new “onomatopoeia CAPTCHA” that applies onomatopoeia; i.e., words containing sounds similar to the noises they describe. Humans usually understand onomatopoeia unconsciously and use it in daily conversation; thus, it is clearly easy for humans to solve. However, it is difficult for computers because the mechanisms to recognize onomatopoeia are not very clear even now [1]. One of the difficulties of CAPTCHA schemes is the lack of reliable accuracy metrics. Some of the existing works deal with successful rate defined as a fraction of correctly answered tests. However, if we modify schemes as more complicated so that condition 2) is satisfied, then it may be hard to be solved by human resulting failure of condition 1) . So, we need to balance the tradeoff of two conditions. To address the above issues of CAPTCHA scheme, we introduce two evaluation metrics, Human Acceptance Rate (HAR) and Machine Acceptance Rate (MAR), measured through comprehensive experiments. To balance both acceptance rates, we try to improve HAR with the five proposed schemes looking for the best scheme that allows humans solve CAPTCHA easily. Similarly, we attempt to reduce MAR as smaller as possible, that is, to make CAPTCHA unbreakable against attackers. Our experiment is evaluated by 63 Japanese and 63 foreigners participating from 16 countries. One of the proposed style of CAPTCHA is based on the Manga comics with onomatopoeia that may be recognized wide range of subject without suffering form language barrier and hence it helps to extend the coverage of users. Our contribution of this work is as follows. • A new CAPTCHA scheme using Onomatopoeia that is able to be synthesized from system. • A comprehensive evaluation of accuracy metrics with respects to both human and machine (HAR and MAR), with five styles of queries and five smart attackers. • An evaluation made be by a broad domain of subjects with distinct background knowledge in the world including 63 Japanese and 63 non-Japanese.","PeriodicalId":265506,"journal":{"name":"2018 16th Annual Conference on Privacy, Security and Trust (PST)","volume":"5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124026744","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Extended Abstract: Ethical and Privacy Considerations in Cybersecurity","authors":"Brittany Davis, Christopher Whitfield, Mohd Anwar","doi":"10.1109/PST.2018.8514188","DOIUrl":"https://doi.org/10.1109/PST.2018.8514188","url":null,"abstract":"Several studies have examined ethical and privacy concerns in Human-Computer Interaction (HCI) and cybersecurity research. However, the approaches to assure proper ethics and privacy standards in cybersecurity research are not adequately studied. This paper introduces a framework to evaluate the ethical considerations of cybersecurity research studies. Our framework was used to evaluate the ethical and privacy considerations for the technical papers published in the proceedings of SOUPS 2017. Our research provides future researchers with methods for conducting ethically sound cybersecurity research.","PeriodicalId":265506,"journal":{"name":"2018 16th Annual Conference on Privacy, Security and Trust (PST)","volume":"2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121340719","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Mining Sequential Patterns from Outsourced Data via Encryption Switching","authors":"Gamze Tillem, Z. Erkin, R. Lagendijk","doi":"10.1109/PST.2018.8514205","DOIUrl":"https://doi.org/10.1109/PST.2018.8514205","url":null,"abstract":"The increasing demand for data mining in business intelligence has led to a significant growth in the adoption of data mining as a service paradigm which enables companies to outsource their data and mining tasks to a cloud service provider. Despite the popularity of the paradigm, the companies hesitate to enable the cloud providers' access to their data considering customer privacy and intellectual property. In this paper, we propose a privacy-preserving two-party protocol which aims to mine direct sequential patterns from outsourced protected data. We focus on direct sequential pattern mining since it is a widely used primitive in business process analysis. Considering the accuracy and confidentiality, we choose encryption over statistical methods for data protection and processing. To be able to process the encrypted data, we adopt a homomorphic encryption scheme, ElGamal cryptosystem. The novelty of our scheme is that it introduces an encryption switching method that enables us to use both multiplicative and additive homomorphism on ElGamal cryptosystem. The results of our analyses show that our protocol is more efficient than the state-of-the-art proposals in terms of computational cost with a similar communication cost.","PeriodicalId":265506,"journal":{"name":"2018 16th Annual Conference on Privacy, Security and Trust (PST)","volume":"42 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124119232","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A Power Analysis of Cryptocurrency Mining: A Mobile Device Perspective","authors":"James Clay, Alexander Hargrave, R. Sridhar","doi":"10.1109/PST.2018.8514199","DOIUrl":"https://doi.org/10.1109/PST.2018.8514199","url":null,"abstract":"We investigate the impact of how a cryptocurrency mining system can affect the power consumption of mobile devices. Specifically we look at CoinHive, a cryptocurrency miner and associated mining pool targeting the Monero (XMR) cryptocurrency. CoinHive distributes a JavaScript-based miner to webpages where visitors run the script and provide computing power to the web host’s CoinHive account. Ideally, hosting JavaScript-based cryptocurrency miners provides alternatives to using ad-networks as a source of website revenue. While some users may not oppose an energy for advertisement trade-off, it may be less palatable to mobile users concerned with battery life. Our initial studies have revealed that, at a minimum, running the normally distributed JavaScript-based miner increases the power draw of a Samsung Galaxy S4 by about 5 fold. Under certain circumstances, the power draw can increase to eleven-fold. We illustrate these findings by comparing them with various normal use benchmarks and with a variety of different ad-enabled webpages.","PeriodicalId":265506,"journal":{"name":"2018 16th Annual Conference on Privacy, Security and Trust (PST)","volume":"14 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133892148","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Managing Publicly Known Security Vulnerabilities in Software Systems","authors":"H. Mahrous, Baljeet Malhotra","doi":"10.1109/PST.2018.8514187","DOIUrl":"https://doi.org/10.1109/PST.2018.8514187","url":null,"abstract":"Monitoring security vulnerabilities (weaknesses in software systems) is very important for organizations. Third parties such as National Institute of Standards and Technology (NIST) regularly publish vulnerability reports to secure national networks and protect business interests. The main challenge in this context is that the software systems against which the vulnerabilities are published are typically known differently to various stake holders that consume those vulnerable software systems. For instance, an organization may refer to one of its software components as my.program.js, however NIST may report a vulnerability on that particular software component as $orglrcorner Jrogramlrcorner S$ according to their standards. Thousands of vulnerabilities are reported against millions of software compo- nents every year, which makes this problem very complex. In this paper, we propose a system that matches imprecise pieces of data to track vulnerabilities in software systems. The heart of the proposed system is a text mining technique that is capable of searching vulnerabilities from large volumes of data regardless of how the software systems are named. Our extensive experiments with real datasets reveal that the proposed system is capable of capturing vulnerabilities with more than 90% accuracy.","PeriodicalId":265506,"journal":{"name":"2018 16th Annual Conference on Privacy, Security and Trust (PST)","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115483686","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Using AP-TED to Detect Phishing Attack Variations","authors":"Sophie Le Page, G. Bochmann, Q. Cui, J. Flood, Guy-Vincent Jourdan, Iosif-Viorel Onut","doi":"10.1109/PST.2018.8514213","DOIUrl":"https://doi.org/10.1109/PST.2018.8514213","url":null,"abstract":"It is well known that many phishing attacks are variations of previous phishing attacks. We evaluate here the feasibility of applying Pawlik and Augsten's recent implementation of Tree Edit Distance (AP-TED) calculations as a way to compare DOMs and identify similar phishing attack instances. We also compare this tree method with an existing method that uses the distance between tag vectors to quantity similarity between phishing sites. We observe that no single distance method perfectly detects all types of phishing attack variations. We find that the tree method is more demanding for computing equipment, but it better discriminates the similarity with known attacks. We also introduce a method to reduce the volume of calculations by 99.4% when calculating pairwise edit distance on trees with respect to AP-TED calculations on all data.","PeriodicalId":265506,"journal":{"name":"2018 16th Annual Conference on Privacy, Security and Trust (PST)","volume":"105 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124751934","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"EagleEye: A Novel Visual Anomaly Detection Method","authors":"Iman Sharafaldin, A. Ghorbani","doi":"10.1109/PST.2018.8514179","DOIUrl":"https://doi.org/10.1109/PST.2018.8514179","url":null,"abstract":"We propose a novel visualization technique (Eagle-Eye) for intrusion detection, which visualizes a host as a commu- nity of system call traces in two-dimensional space. The goal of EagleEye is to visually cluster the system call traces. Although human eyes can easily perceive anomalies using EagleEye view, we propose two different methods called SAM and CPM that use the concept of data depth to help administrators distinguish between normal and abnormal behaviors. Our experimental results conducted on Australian Defence Force Academy Linux Dataset (ADFA-LD), which is a modern system calls dataset that includes new exploits and attacks on various programs, show EagleEye's efficiency in detecting diverse exploits and attacks.","PeriodicalId":265506,"journal":{"name":"2018 16th Annual Conference on Privacy, Security and Trust (PST)","volume":"37 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127310554","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Weak and Strong Deniable Authenticated Encryption: On their Relationship and Applications","authors":"Kasper Bonne Rasmussen, Paolo Gasti","doi":"10.1109/PST.2018.8514181","DOIUrl":"https://doi.org/10.1109/PST.2018.8514181","url":null,"abstract":"Consider a scenario in which a whistleblower (Alice) would like to disclose confidential documents to ajournalist (Bob). Bob wants to verify that the messages he receives are really from Alice; at the same time, Alice does not want to be implicated if Bob is later compelled to (or decides to) disclose her messages, together with his secret key and any other relevant secret information. To fulfill these requirements, Alice and Bob can use a deniable authenticated encryption scheme. In this paper we formalize the notions of strong- and weak deniable authentication, and discuss the relationship between these definitions. We show that Bob can still securely authenticate messages from Alice after all his secret information is revealed to the adversary, but only when using a weakly (but not strongly) deniable scheme. We refer to this ability as post-compromise message authentication. We present two efficient encryption schemes that provide deniable authentication. Both schemes incur overhead similar to that of non-deniable schemes. As such, they are suitable not only when deniability is needed, but also as general encryption tools. We provide details of the encryption, decryption, forgery and key- generation algorithms, and formally prove that our schemes are secure with respect to confidentiality, data authentication, and strong- and weak deniable authentication.","PeriodicalId":265506,"journal":{"name":"2018 16th Annual Conference on Privacy, Security and Trust (PST)","volume":"37 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126548698","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Location Privacy and Utility in Geo-social Networks: Survey and Research Challenges","authors":"Z. Riaz, Frank Dürr, K. Rothermel","doi":"10.1109/PST.2018.8514193","DOIUrl":"https://doi.org/10.1109/PST.2018.8514193","url":null,"abstract":"Location information sharing on popular online social networking platforms like Facebook and Foursquare brings mutual benefits for the users of these platforms (e.g., free locationbased services) as well as the platform providers (e.g., locationbased businesses). An obvious problem however that impedes these mutual benefits are privacy concerns related to location data of users, which also curb their active participation. In this paper, we analyze the role of existing location privacypreserving mechanisms in minimizing this mutual loss of benefits. Our analysis reveals that most existing mechanisms either ignore social platform related user-privacy concerns or they disregard location data-quality related demands of the platform providers. Moreover, we also point out concrete research gaps and implementation issues related to existing privacy mechanisms.","PeriodicalId":265506,"journal":{"name":"2018 16th Annual Conference on Privacy, Security and Trust (PST)","volume":"5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127221173","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}