2017 15th Annual Conference on Privacy, Security and Trust (PST)最新文献

{"title":"On Return Oriented Programming Threats in Android Runtime","authors":"Akshaya Venkateswara Raja, Jehyun Lee, Debin Gao","doi":"10.1109/PST.2017.00038","DOIUrl":"https://doi.org/10.1109/PST.2017.00038","url":null,"abstract":"Android has taken a large share of operating systems for smart devices including smartphones, and has been an attractive target to the attackers. The arms race between attackers and defenders typically occurs on two front lines — the latest attacking technology and the latest updates to the operating system (including defense mechanisms deployed). In terms of attacking technology, Return-Oriented Programming (ROP) is one of the most sophisticated attack methods on Android devices. In terms of the operating system updates, Android Runtime (ART) was the latest and biggest change to the Android family. In this paper, we investigate the extent to which Android Runtime (ART) makes Return-Oriented Programming (ROP) attacks easier or more difficulty. In particular, we show that by updating system libraries and adopting Ahead-of-Time compiling instead of Justin- Time compiling in the ART architecture, a larger number and more diverse gadgets are disclosed to ROP attackers, which serve as direct ingredients to ROP attacks. We show that between three and six times more gadgets are found on the ART adopted versions of Android due to the new ART runtime. Moreover, in constrained situations where an attacker requires specific instructions and target registers, Android running ART provides up to 30% more conditional coverage than pre-ART Android does. We additionally demonstrate a sample ROP attack on post- ART Android that would not have been possible on pre-ART Android.","PeriodicalId":405887,"journal":{"name":"2017 15th Annual Conference on Privacy, Security and Trust (PST)","volume":"72 4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122902366","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A Precedence Graph-Based Approach to Detect Message Injection Attacks in J1939 Based Networks","authors":"S. Mukherjee, Jacob Walker, I. Ray, J. Daily","doi":"10.1109/PST.2017.00018","DOIUrl":"https://doi.org/10.1109/PST.2017.00018","url":null,"abstract":"Vehicles now include Electronic Control Units (ECUs) that communicate with each other via broadcast networks. Cyber-security professionals have shown that such embedded communication networks can be compromised. Very recently, it has been shown that embedded devices connected to commercial vehicle networks can be manipulated to perform unintended actions by injecting spoofed messages. Such attacks can be hard to detect as they can mimic safety critical actions performed by ECUs. We present a precedence graph-based anomaly detection technique to detect malicious message injections. Our approach can detect malicious message injections and is able to distinguish them from safety critical actions like hard braking.","PeriodicalId":405887,"journal":{"name":"2017 15th Annual Conference on Privacy, Security and Trust (PST)","volume":"70 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134229561","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Running Compression Algorithms in the Encrypted Domain: A Case-Study on the Homomorphic Execution of RLE","authors":"Sébastien Canard, Sergiu Carpov, Donald Nokam Kuate, Renaud Sirdey","doi":"10.1109/PST.2017.00041","DOIUrl":"https://doi.org/10.1109/PST.2017.00041","url":null,"abstract":"This paper is devoted to the study of the problem of running compression algorithms in the encrypted domain, using a (somewhat) fully homomorphic encryption (FHE) scheme. We do so with a particular focus on conservative compression algorithms. Despite of the encrypted domain Turingcompleteness which comes with the magic of FHE operators, we show that a number of subtleties crop up when it comes to running compression algorithms and, in particular, that guaranteed conservative compression is not possible to achieve in the FHE setting. To illustrate these points, we analyze the most elementary conservative compression algorithm of all, namely Run-Length Encoding (RLE). We first study the way to regularize this algorithm in order to make it (meaningfully) fit within the constraints of a FHE execution. Secondly, we analyze it from the angle of optimizing the resulting structure towards (as much as possible) FHE execution efficiency. The paper is concluded by concrete experimental results obtained using the Fan-Vercauteren cryptosystem as well as the Armadillo FHE compiler. It is also this paper intent to share the concrete return on experience we gained in attempting to run a simple yet practically significant algorithm over FHE.","PeriodicalId":405887,"journal":{"name":"2017 15th Annual Conference on Privacy, Security and Trust (PST)","volume":"30 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127089270","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"An Identity Management System Based on Blockchain","authors":"Y. Liu, Zhengge Zhao, G. Guo, Xingwei Wang, Zhenhua Tan, Shuang Wang","doi":"10.1109/PST.2017.00016","DOIUrl":"https://doi.org/10.1109/PST.2017.00016","url":null,"abstract":"In this paper, we propose a decentralized identity management system based on Blockchain. The function of the system mainly includes identity authentication and reputation management. The technical advantages of the Blockchain makes the data in the system safe and credible. In addition, we use smart contracts to write system rules to ensure the reliability of user information. We bind the user's entity information with the public key address and determine the true identity of a virtual user on the Blockchain. We use the token to represent the reputation which is shown to be an effective reputation model, making the participants in the system prefer to maintain and manage their personal reputation. Our system makes it possible for users to securely manage their identity and reputation on the Internet.","PeriodicalId":405887,"journal":{"name":"2017 15th Annual Conference on Privacy, Security and Trust (PST)","volume":"14 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115583045","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Model Inversion Attacks for Prediction Systems: Without Knowledge of Non-Sensitive Attributes","authors":"Seira Hidano, Takao Murakami, Shuichi Katsumata, S. Kiyomoto, Goichiro Hanaoka","doi":"10.1109/PST.2017.00023","DOIUrl":"https://doi.org/10.1109/PST.2017.00023","url":null,"abstract":"While online services based on machine learning (ML) have been attracting considerable attention in both academic and business, privacy issues are becoming a threat that cannot be ignored. Recently, Fredrikson et al. [USENIX 2014] proposed a new paradigm of model inversion attacks, which allows an adversary to expose the sensitive information of users by using an ML system for an unintended purpose. In particular, the attack reveals the sensitive attribute values of the target user by using their non-sensitive attributes and the output of the ML model. Here, for the attack to succeed, the adversary needs to possess the non-sensitive attribute values of the target user prior to the attack. However, in reality, even if this information (i.e., non-sensitive attributes) is not necessarily information the user regards as sensitive, it may be difficult for the adversary to actually acquire it. In this paper, we propose a general model inversion (GMI) framework to capture the above scenario where knowledge of the non-sensitive attributes is not necessarily provided. Here, our framework also captures the scenario of Fredrikson et al. Notably, we generalize the paradigm of Fredrikson et al. by additionally modeling the amount of auxiliary information the adversary possesses at the time of the attack. Our proposed GMI framework enables a new type of model inversion attack for prediction systems, which can be carried out without knowledge of the non-sensitive attributes. At a high level, we use the paradigm of data poisoning in a novel way and inject malicious data into the set of training data to modify the ML model into a target ML model, which we can attack without having to have knowledge of the non-sensitive attributes. Our new attack enables the inference of sensitive attributes in the user input from only the output of the ML model, even when the non-sensitive attributes of the user are not available to the adversary. Finally, we provide a concrete algorithm of our model inversion attack on prediction systems based on linear regression models, and give a detailed description of how the data poisoning algorithm is constructed.We evaluate the performance of our new model inversion attack without the knowledge of non-sensitive attributes through experiments with actual data sets.","PeriodicalId":405887,"journal":{"name":"2017 15th Annual Conference on Privacy, Security and Trust (PST)","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125283255","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Towards a Network-Based Framework for Android Malware Detection and Characterization","authors":"Arash Habibi Lashkari, A. A. Kadir, Hugo Gonzalez, Kenneth Fon Mbah, A. Ghorbani","doi":"10.1109/PST.2017.00035","DOIUrl":"https://doi.org/10.1109/PST.2017.00035","url":null,"abstract":"Mobile malware is so pernicious and on the rise, accordingly having a fast and reliable detection system is necessary for the users. In this research, a new detection and characterization system for detecting meaningful deviations in the network behavior of a smart-phone application is proposed. The main goal of the proposed system is to protect mobile device users and cellular infrastructure companies from malicious applications with just 9 traffic feature measurements. The proposed system is not only able to detect the malicious or masquerading apps, but can also identify them as general malware or specific malware (i.e. adware) on a mobile device. The proposed method showed the average accuracy (91.41%), precision (91.24%), and false positive (0.085) for five classifiers namely; Random Forest (RF), K-Nearest Neighbor (KNN), Decision Tree (DT), Random Tree (RT) and Regression (R). We also offer a labeled dataset of mobile malware traffic with 1900 applications includes benign and 12 different families of both adware and general malware.","PeriodicalId":405887,"journal":{"name":"2017 15th Annual Conference on Privacy, Security and Trust (PST)","volume":"189 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134620544","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"What Your Brain Says About Your Password: Using Brain-Computer Interfaces to Predict Password Memorability","authors":"Ruba AlOmari, Miguel Vargas Martin, Shane MacDonald, Christopher Bellman, R. Liscano, Amit Maraj","doi":"10.1109/PST.2017.00024","DOIUrl":"https://doi.org/10.1109/PST.2017.00024","url":null,"abstract":"Recent advances in brain-computer interfaces (BCI) have enabled them as affordable consumer-grade devices for nonmedical purposes such as academic research, marketing, and entertainment. We report on the possibility of using BCIs to classify passwords into two classes—one class may be deemed as memorable and the other one as non-memorable—based on electroencephalogram (EEG) potentials collected by the BCI upon presenting the passwords to human participants. The memorable set consists of the most commonly used passwords, also known as \"worst passwords lists\", while the non-memorable set consists of randomly generated strings of characters, symbols, and numbers. When classifying passwords as memorable vs. nonmemorable, a classification accuracy of 76.5% was achieved. We found a positive correlation between password EEG features and password recall. We also report on users' choice of passwords, where 74% of participants were found to inadvertently choose the password with higher elicited voltage, when presented with two passwords to choose from.","PeriodicalId":405887,"journal":{"name":"2017 15th Annual Conference on Privacy, Security and Trust (PST)","volume":"165 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133868831","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Modeling Exposure in Online Social Networks","authors":"Andrew Cortese, A. Masoumzadeh","doi":"10.1109/PST.2017.00046","DOIUrl":"https://doi.org/10.1109/PST.2017.00046","url":null,"abstract":"In online social networks (OSNs), the privacy of users is impacted by exposure of information about those users to other users of the system. Various factors, including design and user behavior, may affect the degree to which information about users is exposed. We propose the notion of knowledge exposure that measures the probability that information about users will be seen by others. We argue that such a measure can give OSN users and designers insight about how privacy is affected based on system design and user behavior. We present exposure as a promising notion that can complement privacy control efforts in an OSN rather than replacing existing measures such as access control. We provide a formal model of exposure in an OSN, and demonstrate through experiments how it can be calculated for various information items.","PeriodicalId":405887,"journal":{"name":"2017 15th Annual Conference on Privacy, Security and Trust (PST)","volume":"14 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128204530","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Transaction Immutability and Reputation Traceability: Blockchain as a Platform for Access Controlled IoT and Human Interactivity","authors":"D. W. Kravitz","doi":"10.1109/PST.2017.00012","DOIUrl":"https://doi.org/10.1109/PST.2017.00012","url":null,"abstract":"Credible reputation lies at the core of users and devices communicating and transacting successfully. Identity fraud is becoming increasingly difficult to manage in the face of massive-scale database breaches. In critical infrastructure and public safety applications, as well as day-to-day personal and business transactions, it is imperative to have a significant degree of confidence in whom/what one communicates with – whether to know if the recipient can be entrusted with the sender's data, or if the sender's data is to be considered reliably sourced. Even where possible, lost reputation is substantially more cumbersome, timeconsuming and expensive to replace than are compromised, stolen or defective devices and their embedded cryptographic keys. This paper focuses on two methodologies that have considerable implications relative to addressing the reputation issue: (1) blockchain-enabled anomaly detection and assessment that involves dynamically asserted identity at the network edge effected through end-user targeted release of trusted behavioral data; (2) IoT and human interaction that is securely facilitated through use of an \"Inviter-Invitee\" protocol to set up dedicated maintainable \"communication lines.\" The judiciously applied combination of the cryptographic protocol suites that enable the two methodologies results in a practicably implementable system for smart city use cases.","PeriodicalId":405887,"journal":{"name":"2017 15th Annual Conference on Privacy, Security and Trust (PST)","volume":"52 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115368452","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A Nonoutsourceable Puzzle Under GHOST Rule","authors":"Gongxian Zeng, S. Yiu, Jun Zhang, Hiroki Kuzuno, M. Au","doi":"10.1109/PST.2017.00015","DOIUrl":"https://doi.org/10.1109/PST.2017.00015","url":null,"abstract":"Blockchain technology has attracted a lot of attention in recent years. Applications of blockchain are not only restricted to cybercurrencies, but have also been extended to other areas such as finance, e-health, music, and other business. One of the key components of blockchain is the design for miners who are responsible for adding new transactions (blocks) by solving a puzzle and receive some rewards in return. As a result, miners tend to join centralized mining pools to outsource their computing resources in order to gain more steady rewards, which may affect the security and fairness of the system. This motivates the researchers to propose nonoutsourceable puzzles. However, existing nonoutsourceable puzzles do not work well under the high-rate transaction processing protocol (GHOST). In this paper, we propose the first nonoutsourceable puzzle that can satisfy all security requirements of GHOST. Our experimental results show that our puzzle is practical.","PeriodicalId":405887,"journal":{"name":"2017 15th Annual Conference on Privacy, Security and Trust (PST)","volume":"41 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123993162","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}