Journal of Information Security and Applications最新文献

{"title":"Blockchain in inter-organizational collaboration: A privacy-preserving voting system for collective decision-making","authors":"","doi":"10.1016/j.jisa.2024.103837","DOIUrl":"10.1016/j.jisa.2024.103837","url":null,"abstract":"<div><p>Electronic voting systems can support a key behavioral process in inter-organizational collaboration – collective decision-making – but typically face challenges related to single points of failure from centralized databases and trusted third parties to deal with privacy voting requirements. To address such issues, this work presents a decentralized voting system based on blockchain technology, Fully Homomorphic Encryption, tokenization, and Proof-of-Stake mechanisms to promote the system’s sustainability while enhancing voting privacy and anonymization. Our solution introduces verifiability to voting processes without any trusted intermediaries. We use the inter-organizational collaboration use case since it introduces additional voting requirements in the private domain, such as promoting cooperative behavioral processes to develop trustworthy relationships between organizations. Our proof-of-concept implementation and evaluation results show that the proposed solution provides voting privacy with adequate computational costs.</p></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":null,"pages":null},"PeriodicalIF":3.8,"publicationDate":"2024-07-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141954378","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Semi-supervised QIM steganalysis with ladder networks","authors":"","doi":"10.1016/j.jisa.2024.103834","DOIUrl":"10.1016/j.jisa.2024.103834","url":null,"abstract":"<div><p>Recently, deep learning-based Quantization Index Modulation (QIM) steganalysis algorithms have achieved great success. However, most of them are supervised learning algorithms that rely on a large number of labeled samples and have poor generalization performance. Towards addressing the challenge, we present a novel semi-supervised ladder network, termed SSLadNet, for weak signal detection in QIM steganalysis of VoIP streams. In particular, we integrate supervised learning and unsupervised learning into an end-to-end learning architecture via a ladder network, and achieve joint optimization for semi-supervised learning by backpropagation to minimize the sum of supervised and unsupervised cost functions. To the best of our knowledge, this is the first deep learning-based semi-supervised detection model applied to QIM steganalysis that can effectively extract rich features reflecting the correlation changes between codewords caused by QIM steganography. Experimental results showed that even for the labeled samples with a number of 512, SSLadNet can achieve a detection accuracy of around 96.09% for <span><math><mrow><mn>1000</mn><mspace></mspace><mi>ms</mi></mrow></math></span> long samples and 100% embedding rate, and outperforms the state-of-the-art methods based on semi-supervised learning.</p></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":null,"pages":null},"PeriodicalIF":3.8,"publicationDate":"2024-07-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141951398","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A Hybrid Secure Signcryption Algorithm for data security in an internet of medical things environment","authors":"","doi":"10.1016/j.jisa.2024.103836","DOIUrl":"10.1016/j.jisa.2024.103836","url":null,"abstract":"<div><p>It proposes a Hybrid Secure Signcryption Algorithm (HySSA), a small-size block chain (BC), and a planned system that secures an electronic health record (EHR) exchange through enabled device transmissions with minimal encryption and signature overhead. HySSA has two stages of operation. Patients are fitted with proximity sensor nodes (PSNs), which establish a wireless personal area network (WBAN) in the first phase of the procedure. It is up to the nodes to decide which cluster head (CH) in their vicinity can send data to the WBAN’s Gateway sensor nodes (GSN) containing EHR meta-data. Second, GSN implements a lightweight signcryption technique for authorized stakeholders that combines data encryption and signing in the second phase of its development. An interplanetary file system provides secure keys for access to the data, which is exchanged over open channels (IPFS). Data mining results are stored to lower computing expenses, and block ledgers are used in global chain architectures. Compared to other schemes, the proposed HySSA scheme is cheaper for transaction and signing expense parameters, throughput of transactions, and computational and communication expenses. It takes HySSA a standard of 3.32 s (s) to sign and 6.52 s (s) to verify in simulation. It takes 3.325 s to mine 200 blocks, compared to 7.8 s for traditional schemes. The throughput of transactions was 142.78 Mbps, as opposed to the standard 102.45 Mbps. Computing time (CC) is 45.80 ms, while communication time (CCM) is 97 bytes, indicating that the suggested approach is competitive with other current approaches in terms of security.</p></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":null,"pages":null},"PeriodicalIF":3.8,"publicationDate":"2024-07-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141951397","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Detecting malicious encrypted traffic with privacy set intersection in cloud-assisted industrial internet","authors":"","doi":"10.1016/j.jisa.2024.103831","DOIUrl":"10.1016/j.jisa.2024.103831","url":null,"abstract":"<div><p>Encryption technology provides the ability of confidential transmission to ensure the security of Industrial Internet communication, but it makes detecting malicious encrypted traffic very difficult. To resolve the conflict between the difficulty of malicious encrypted traffic detection and the requirements of traffic privacy protection, we propose a cloud-assisted Industrial Internet malicious encrypted traffic detection scheme with privacy protection. To accurately match the encrypted traffic and the detection rules, a privacy set intersection protocol based on the oblivious pseudorandom function and random garbled Bloom filter is constructed, which can detect malicious traffic without revealing data content. Meanwhile, our scheme can allow semi-trusted cloud servers to assist resource-constrained end devices to participate in private calculations. The key-homomorphic encryption is introduced to obfuscate the detection rules, making the detection rules always transparent to end users and semi-trusted cloud servers. We also design the random input verification to make the malicious end users do not have any opportunity to participate in the privacy set intersection calculation using arbitrary data. The scheme analysis and performance evaluation results show that our scheme can effectively guarantee the security of encrypted traffic detection with better detection performance and limited resource consumption.</p></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":null,"pages":null},"PeriodicalIF":3.8,"publicationDate":"2024-07-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141951396","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Improving image steganography security via ensemble steganalysis and adversarial perturbation minimization","authors":"","doi":"10.1016/j.jisa.2024.103835","DOIUrl":"10.1016/j.jisa.2024.103835","url":null,"abstract":"<div><p>Adversarial embedding, which can deceive the CNN-based steganalyzers, has emerged as an effective strategy to improve image steganography security. However, its efficacy might be easily weakened when confronting re-trained or unknown steganalyzers. In this work, the security of adversarial embedding-based image steganography is further improved by ensemble steganalysis and adversarial perturbation minimization. Different from the existing works that rely on a single targeted steganalyzer, the proposed approach develops an ensemble steganographic classifier, which leverages the majority voting rule to smartly select those pixels that are more suitable for adversarial embedding. To mitigate the interference caused by adversarial embedding, two strategies are adopted. Firstly, a cover image is divided into two non-overlapping regions in terms of pixel gradient amplitude. The regions with higher gradient amplitudes are progressively conducted with adversarial embedding until the targeted steganalyzer is effectively deceived. Secondly, the embedding costs are fine-tuned to minimize the degradation of image quality. Extensive experimental results demonstrate that the proposed approach achieves superior steganography security. Under black-box attacks, with S-UNIWARD and HILL as baseline methods and Deng-Net as the targeted steganalyzer, the proposed approach improves the average detection accuracy of 4.88% and 2.47% for S-UNIWARD and HILL, respectively. In comparison, the existing works only achieve improvements of 2.88% and 2.93% for S-UNIWARD, and 1.44% and 1.12% for HILL, respectively.</p></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":null,"pages":null},"PeriodicalIF":3.8,"publicationDate":"2024-07-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141960703","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"NeuroIDBench: An open-source benchmark framework for the standardization of methodology in brainwave-based authentication research","authors":"","doi":"10.1016/j.jisa.2024.103832","DOIUrl":"10.1016/j.jisa.2024.103832","url":null,"abstract":"<div><p>Biometric systems based on brain activity have been proposed as an alternative to passwords or to complement current authentication techniques. By leveraging the unique brainwave patterns of individuals, these systems offer the possibility of creating authentication solutions that are resistant to theft, hands-free, accessible, and potentially even revocable. However, despite the growing stream of research in this area, faster advance is hindered by reproducibility problems. Issues such as the lack of standard reporting schemes for performance results and system configuration, or the absence of common evaluation benchmarks, make comparability and proper assessment of different biometric solutions challenging. Further, barriers are erected to future work when, as so often, source code is not published open access. To bridge this gap, we introduce NeuroIDBench, a flexible open source tool to benchmark brainwave-based authentication models. It incorporates nine diverse datasets, implements a comprehensive set of pre-processing parameters and machine learning algorithms, enables testing under two common adversary models (known vs unknown attacker), and allows researchers to generate full performance reports and visualizations. We use NeuroIDBench to investigate the shallow classifiers and deep learning-based approaches proposed in the literature, and to test robustness across multiple sessions. We observe a 37.6% reduction in Equal Error Rate (EER) for unknown attacker scenarios (typically not tested in the literature), and we highlight the importance of session variability to brainwave authentication. All in all, our results demonstrate the viability and relevance of NeuroIDBench in streamlining fair comparisons of algorithms, thereby furthering the advancement of brainwave-based authentication through robust methodological practices.</p></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":null,"pages":null},"PeriodicalIF":3.8,"publicationDate":"2024-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2214212624001340/pdfft?md5=701ee49e0586c993c5933d0f423680fa&pid=1-s2.0-S2214212624001340-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141638326","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Reversible data hiding in encrypted image based on key-controlled balanced Huffman coding","authors":"Yaolin Yang ,&nbsp;Fan Chen ,&nbsp;Heng-Ming Tai ,&nbsp;Hongjie He ,&nbsp;Lingfeng Qu","doi":"10.1016/j.jisa.2024.103833","DOIUrl":"https://doi.org/10.1016/j.jisa.2024.103833","url":null,"abstract":"<div><p>To achieve privacy protection and effective management in cloud computing, and solve the problem of existing reversible data hiding in encrypted image (RDH-EI) algorithms being unable to resist existing various attacks, an RDH-EI algorithm based on key-controlled balanced Huffman coding (KBHC) is proposed. The novelty lies in KBHC and variable-length bit scrambling. KBHC possesses non-preset, balanced, and key-controlled characteristics, providing the proposed algorithm with high capacity and enhanced security. The non-preset allows coding tables to be adaptively generated based on prediction error maps, resulting in shorter encoded streams for higher embedding capacity. The balanced characteristic is achieved by adjusting the subtrees, so that the balance rate in the encoded stream is 0.014, and can also reach 0.065 for particularly smooth images, achieving uniform distribution of the encoded stream, thereby improving the ability to resist statistical analysis attacks. The random key controls the leaf nodes scrambling in the Huffman tree, which realizes the variability of the encoded stream and avoids the potential security risks caused by timestamp reconstruction, laying the foundation to achieve differential attack security. Variable-length bit scrambling determines the pseudo-random extension length and scrambling sequence by both the encryption key and coding table information, effectively resists brute force attacks and ensures up to 100 % difference rate between scrambling sequences generated in each run. Experimental results demonstrate that compared to several RDH-EI methods, the proposed algorithm achieves higher embedding capacity and security under acceptable complexity. The average embedding rate of three databases reaches 3.897 bpp, and the proposed algorithm effectively resists statistical analysis attacks, COA, KPA, and differential attack.</p></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":null,"pages":null},"PeriodicalIF":3.8,"publicationDate":"2024-07-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141596134","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Enabling security risk assessment and management for business process models","authors":"David G. Rosado ,&nbsp;Luis E. Sánchez ,&nbsp;Ángel Jesús Varela-Vaca ,&nbsp;Antonio Santos-Olmo ,&nbsp;María Teresa Gómez-López ,&nbsp;Rafael M. Gasca ,&nbsp;Eduardo Fernández-Medina","doi":"10.1016/j.jisa.2024.103829","DOIUrl":"https://doi.org/10.1016/j.jisa.2024.103829","url":null,"abstract":"<div><p>Business processes (BP) are considered the enterprise’s cornerstone but are increasingly in the spotlight of attacks. Therefore, the design of business processes must consider the security risks and be adequately integrated into the information and operational systems. However, security risk assessment and management are rarely considered at the level of business processes during design time, let alone considering a risk architecture that takes into account the connection and dependencies of risks at these levels of the organisation, business processes, and information systems. In general, most approaches deal with integrating new artefacts for business process models to support risk analysis, but sometimes, the notation can increase complexity, making it difficult to have a risk management tool to support the analysis. After analysing the current risk processes and frameworks, we have realised that they are often neglected when considering organisational and business process levels. In this paper, MARISMA-BP (MARISMA for Business Process) pattern is proposed, a security risk pattern to enable the assessment and management of risks for business process models. This approach is an artefact that has been validated in a real scenario following the design science methodology. Further, MARISMA-BP pattern is supported by eMARISMA, an automated infrastructure that allows the definition and reuse of each risk component, helping us to carry out the risk assessment and management process in an efficient and dynamic way. To demonstrate the applicability of the proposal, MARISMA-BP pattern is applied to a real health-based business process scenario. The findings illustrate the efficacy of MARISMA-BP within eMARISMA for comprehensive risk assessment and management, underscoring its versatility and practical relevance in any business process environment.</p></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":null,"pages":null},"PeriodicalIF":3.8,"publicationDate":"2024-07-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2214212624001315/pdfft?md5=79e2b72fbb70dc8c5f2f35e3717059dc&pid=1-s2.0-S2214212624001315-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141542098","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Specifying cycles of minimal length for commonly used linear layers in block ciphers","authors":"Guoqiang Deng ,&nbsp;Yongzhuang Wei ,&nbsp;Xuefeng Duan ,&nbsp;Enes Pasalic ,&nbsp;Samir Hodžić","doi":"10.1016/j.jisa.2024.103824","DOIUrl":"https://doi.org/10.1016/j.jisa.2024.103824","url":null,"abstract":"<div><p>Nonlinear invariant attack applied to lightweight block ciphers relies on the existence of a nonlinear invariant <span><math><mrow><mi>g</mi><mo>:</mo><msubsup><mrow><mi>F</mi></mrow><mrow><mn>2</mn></mrow><mrow><mi>n</mi></mrow></msubsup><mo>→</mo><msub><mrow><mi>F</mi></mrow><mrow><mn>2</mn></mrow></msub></mrow></math></span> for the round function. Whereas invariants of the entire S-box layer have been studied in terms of the corresponding cycle structure, a similar analysis for the linear layer has not been performed yet. In this article, we provide a theoretical analysis for specifying the minimal length of cycles for commonly used linear permutations in lightweight block ciphers. Namely, using a suitable matrix representation, we exactly specify the minimal cycle lengths for those linear layers that employ ShiftRows, Rotational-XOR and circular Boolean matrix operations which can be found in many well-known families of block ciphers. These results are practically useful for the purpose of finding nonlinear invariants of the entire encryption rounds since these can be specified using the intersection of cycles corresponding to the linear and S-box layer. We also apply our theoretical analysis practically and specify minimal cycle lengths of linear layers for certain families of block ciphers including some NIST candidates.</p></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":null,"pages":null},"PeriodicalIF":3.8,"publicationDate":"2024-07-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141542111","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"SL3PAKE: Simple Lattice-based Three-party Password Authenticated Key Exchange for post-quantum world","authors":"Vivek Dabra ,&nbsp;Saru Kumari ,&nbsp;Anju Bala ,&nbsp;Sonam Yadav","doi":"10.1016/j.jisa.2024.103826","DOIUrl":"https://doi.org/10.1016/j.jisa.2024.103826","url":null,"abstract":"<div><p>Three-party Password Authenticated Key Exchange (3PAKE) is a protocol where two parties generate the same session key with the help of a trusted server. With the evolution of quantum computers, there is a growing need to develop the 3PAKE protocols that can resist the quantum attacks. Hence, various 3PAKE protocols have been proposed based on the famous Ring Learning With Error (RLWE) problem. But we find out that all these protocols are vulnerable to signal leakage attacks if their public/private keys are reused. Also, the design of these protocols are pretty complex, thus making these protocols highly inefficient. Hence, to overcome the above issues, we have proposed Simple Lattice-based 3PAKE (SL3PAKE), which is simple in its design and resists signal leakage attack if its public/private keys are reused. The order and flow of messages in the proposed SL3PAKE protocol is quite natural without added complexity, thus makes it simple 3PAKE protocol. Finally, we present the comparative analysis based on communication overhead among the proposed SL3PAKE and other three-party protocols. From the analysis, it has been shown that the proposed SL3PAKE protocol has much less communication overhead/communication rounds than the other three-party protocols.</p></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":null,"pages":null},"PeriodicalIF":3.8,"publicationDate":"2024-07-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141542238","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}