ICISSP 2018 Abstracts

Full Papers

Paper Nr:	6
Title:	Big Brother is Smart Watching You - Privacy Concerns about Health and Fitness Applications
Authors:	Christoph Stach
Abstract:	Health and fitness applications for mobile devices are becoming more and more popular. Due to novel wearable metering devices, the so-called Smartbands, these applications are able to capture both health data (e.g., the heart rate) as well as personal information (e.g., location data) and create a quantified self for their users. However, many of these applications violate the user's privacy and misuse the collected data. It becomes apparent that this threat is inherent in the privacy systems implemented in mobile platforms. Therefore, we apply the Privacy Policy Model (PPM) a fine-grained and modular expandable permission model to deals with this problem. We implement our adapted model in a prototype based on the Privacy Management Platform (PMP). Subsequently, we evaluate our model with the help the prototype and demonstrate its applicability for any application using Smartbands for its data acquisition.
Download

Paper Nr:	13
Title:	Incoming Call Implicit User Authentication - User Authentication via Hand Movement Pattern
Authors:	Aleksandr Eremin and Konstantin Kogos
Abstract:	This paper focuses on implicit authentication during answering an incoming call based on user’s hand movement. This approach allows to increase usability of authentication against common PIN or graphical password. It increases the security level as well. Unlike other researches in this area, our work considers the problem of answering a question, whether it is the owner of the phone, who is interacting with the device right now. The paper shows that user’s hand movement provides all necessary information for authentication and there is no need for user to enter a PIN or graphical password.
Download

Paper Nr:	17
Title:	ACCESSORS - A Data-Centric Permission Model for the Internet of Things
Authors:	Christoph Stach and Bernhard Mitschang
Abstract:	The Internet of Things (IoT) is gaining more and more relevance. Due to innovative IoT devices equipped with novel sensors, new application domains come up continuously. These domains include Smart Homes, Smart Health, and Smart Cars among others. As the devices not only collect a lot of data about the user, but also share this information with each other, privacy is a key issue for IoT applications. However, traditional privacy systems cannot be applied to the IoT directly due to different requirements towards the underlying permission models. Therefore, we analyze existing permission models regarding their applicability in the IoT domain. Based on this analysis, we come up with a novel permission model, implement it in a privacy system, and assess its utility.
Download

Paper Nr:	21
Title:	How to Break CaptchaStar
Authors:	Thomas Gougeon and Patrick Lacharme
Abstract:	Most of web sites adopt a Captcha system to distinguish malicious software from humans. This paper proposes an attack on a recent interactive image-based Captcha scheme, called CaptchaStar. The CaptchaStar was designed to be more secure and user friendly than existing solutions, however, as we show in this paper, it fails to meet these goals Nevertheless, the presented attack is very efficient, with a success rate for the attacker of 96% on the on-line version proposed by the authors. Moreover, the modification of CaptchaStar parameters (as noise addition) does not prevent our attack.
Download

Paper Nr:	27
Title:	Knock-Knock: The Unbearable Lightness of Android Notifications
Authors:	Constantinos Patsakis and Efthimios Alepis
Abstract:	Android Notifications can be considered as essential parts in Human-Smartphone interaction and inextricable modules of modern mobile applications that can facilitate User Interaction and improve User Experience. This paper presents how this well-crafted and thoroughly documented mechanism, provided by the OS can be exploited by an adversary. More precisely, we present attacks that result either in forging smartphone application notifications to lure the user in disclosing sensitive information, or manipulate Android Notifications to launch a Denial of Service attack to the users’ device, locally and remotely, rendering them unusable. This paper concludes by proposing generic countermeasures for the discussed security threats.
Download

Paper Nr:	34
Title:	Spectral Analysis of Keystroke Streams: Towards Effective Real-time Continuous User Authentication
Authors:	Abdullah Alshehri, Frans Coenen and Danushka Bollegala
Abstract:	Continuous authentication using keystroke dynamics is significant for applications where continuous monitoring of a user’s identity is desirable, for example in the context of the online assessments and examinations frequently encountered in eLearning environments. In this paper, a novel approach to realtime keystroke continuous authentication is proposed that is founded on a sinusoidal signal based approach that takes into consideration the sequencing of keystrokes. Three alternative time series representations are considered and compared: Keystroke Time Series (KTS), Discrete Fourier Transform (DFT) and Discrete Wavelet Transform (DWT). The proposed process is fully described and analysed using three keystroke dynamics datasets. The evaluation also includes a comparison with the established Feature Vector Representation (FVR) approach. The reported evaluation demonstrates that the proposed method, coupled with the DWT representation, out-performs other approaches to keystroke continuous authentication with a best overall accuracy of 98.24%; a clear indicator that the proposed keystroke continuous authentication using time series analysis has significant potential.
Download

Paper Nr:	35
Title:	Identifying Needs for a Holistic Modelling Approach to Privacy Aspects in Enterprise Software Systems
Authors:	Sascha Alpers, Roman Pilipchuk, Andreas Oberweis and Ralf Reussner
Abstract:	Modelling is a common method for both Business Architecture Management and for Software Architecture Management. In general, there is a gap in the model continuity between business models and software models. Especially when modelling compliance driven requirements like privacy traceability is important for compliance checks and helps to build the models in an efficient way. In this paper, approaches for modelling privacy from business and software engineering perspective are examined. A key finding is that there is currently no comprehensive modelling approach covering the needed aspects and perspectives.
Download

Paper Nr:	40
Title:	A Security Analysis, and a Fix, of a Code-Corrupted Honeywords System
Authors:	Ziya Alper Genç, Gabriele Lenzini, Peter Y. A. Ryan and Itzel Vazquez Sandoval
Abstract:	In 2013 Juels and Rivest introduced the Honeywords System, a password-based authentication system designed to detect when a password file has been stolen. A Honeywords System stores passwords together with indistinguishable decoy words so when an intruder steals the file, retrieves the words, and tries to log-in, he does not know which one is the password. By guessing one from the decoy words, he may not be lucky and reveal the leak. Juels and Rivest left a problem open: how to make the system secure even when the intruder corrupted the login server’s code. In this paper we study and solve the problem. However, since “code corruption” is a powerful attack, we first define rigorously the threat and set a few assumptions under which the problem is still solvable, before showing meaningful attacks against the original Honeywords System. Then we elicit a fundamental security requirement, implementing which, we are able to restore the Honeywords System’s security despite a corrupted login service. We verify the new protocol’s security formally, using ProVerif for this task. We also implement the protocol and test its performance. Finally, at the light of our findings, we discuss whether it is still worth using a fixed honeywords-based system against such a powerful threat, or whether it is better, in order to be resilient against code corruption attacks, to design afresh a completely different password-based authentication solution.
Download

Paper Nr:	42
Title:	BroncoVote: Secure Voting System using Ethereum’s Blockchain
Authors:	Gaby G. Dagher, Praneeth Babu Marella, Matea Milojkovic and Jordan Mohler
Abstract:	Voting is a fundamental part of democratic systems; it gives individuals in a community the faculty to voice their opinion. In recent years, voter turnout has diminished while concerns regarding integrity, security, and accessibility of current voting systems have escalated. E-voting was introduced to address those concerns; however, it is not cost-effective and still requires full supervision by a central authority. The blockchain is an emerging, decentralized, and distributed technology that promises to enhance different aspects of many industries. Expanding e-voting into blockchain technology could be the solution to alleviate the present concerns in e-voting. In this paper, we propose a blockchain-based voting system, named BroncoVote, that preserves voter privacy and increases accessibility, while keeping the voting system transparent, secure, and cost-effective. BroncoVote implements a university-scaled voting framework that utilizes Ethereum’s blockchain and smart contracts to achieve voter administration and auditable voting records. In addition, BroncoVote utilizes a few cryptographic techniques, including homomorphic encryption, to promote voter privacy. Our implementation was deployed on Ethereum’s Testnet to demonstrate usability, scalability, and efficiency.
Download

Paper Nr:	49
Title:	Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization
Authors:	Iman Sharafaldin, Arash Habibi Lashkari and Ali A. Ghorbani
Abstract:	With exponential growth in the size of computer networks and developed applications, the significant increasing of the potential damage that can be caused by launching attacks is becoming obvious. Meanwhile, Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs) are one of the most important defense tools against the sophisticated and ever-growing network attacks. Due to the lack of adequate dataset, anomaly-based approaches in intrusion detection systems are suffering from accurate deployment, analysis and evaluation. There exist a number of such datasets such as DARPA98, KDD99, ISC2012, and ADFA13 that have been used by the researchers to evaluate the performance of their proposed intrusion detection and intrusion prevention approaches. Based on our study over eleven available datasets since 1998, many such datasets are out of date and unreliable to use. Some of these datasets suffer from lack of traffic diversity and volumes, some of them do not cover the variety of attacks, while others anonymized packet information and payload which cannot reflect the current trends, or they lack feature set and metadata. This paper produces a reliable dataset that contains benign and seven common attack network flows, which meets real world criteria and is publicly avaliable. Consequently, the paper evaluates the performance of a comprehensive set of network traffic features and machine learning algorithms to indicate the best set of features for detecting the certain attack categories.
Download

Paper Nr:	55
Title:	VisABAC: A Tool for Visualising ABAC Policies
Authors:	Charles Morisset and David Sanchez
Abstract:	Authoring and editing access control policy can be a complex and cognitive demanding task, especially when dealing with a large number of rules and attributes. Visualisation techniques are known to be helpful to users analysing intricate data, and can, in some contexts, help decreasing the cognitive load. In this paper, we propose a new tool, VisABAC, which enables the visualisation of attribute based access control policies using the Circle Packing method. We used a participatory design, following a survey of existing visualisation methods in access control. VisABAC is designed as a web-page component, developed in Javascript using the D3.js library, and as such is easily usable without requiring any particular setup. In addition to presenting VisABAC, we demonstrate its usability by conducting a controlled experiment with 32 participants, asking them to change some attribute values in order to obtain a given decision for a policy, and measuring the time taken by participants to conduct these tasks (the faster, the better). We show a small to medium effect size (d =0:44), thus indicating that VisABAC is a promising tool for authoring and editing access control policies.
Download

Paper Nr:	56
Title:	A Comparative Analysis of Current Cryptocurrencies
Authors:	Lara Mauri, Stelvio Cimato and Ernesto Damiani
Abstract:	Blockchain technology is having a deep impact on the financial and technical sectors providing a mechanism for the creation of decentralized currencies and a number of applications in different fields. At the core of the technology there is a consensus protocol enabling the maintenance of a distributed ledger. In general current systems are complex schemes that implement a combination of cryptographic algorithm, distributed techniques, and incentive driven behaviour. In this paper we focus on three of the most diffused platforms, i.e. Bitcoin, Ripple, and Ethereum, and provide a comparative analysis of their most important features such as the architecture, the scripting language, the economic and security properties.
Download

Paper Nr:	57
Title:	Inferring Smartphone Users’ Handwritten Patterns by using Motion Sensors
Authors:	Wei-Han Lee, Jorge Ortiz, Bongjun Ko and Ruby Lee
Abstract:	Mobile devices including smartphones and wearable devices are increasingly gaining popularity as platforms for collecting and sharing sensor data, such as the accelerometer, gyroscope, and rotation sensor. These sensors are used to improve the convenience of smartphone users, e.g., supporting the mobile UI motion-based commands. Although these motion sensors do not require users’ permissions, they still bring potential risks of leaking users’ private information reflected by the changes of sensor readings. In this paper, we investigate the feasibility of inferring a user’s handwritten pattern on a smartphone touchscreen by using the embedded motion sensors. Specifically, our inference attack is composed of two key steps where we 1) first exploit the dynamic time warping (DTW) technique to differentiate any pair of time-series sensor recordings corresponding to different handwritten patterns; and 2) develop a novel sensor fusion mechanism to integrate information contained in multiple motion sensors by exploiting the majority voting strategy. Through extensive experiments using real-world data sets, we demonstrate the effectiveness of our proposed attack which can achieve 91.4% accuracy for inferring smartphone users’ handwritten patterns.
Download

Paper Nr:	58
Title:	On App-based Matrix Code Authentication in Online Banking
Authors:	Vincent Haupert and Tilo Müller
Abstract:	Owing to their growing popularity, smartphones have made two-step authentication schemes not only accessible to everybody but also inexpensive for both the provider and the end user. Although app-based two-factor methods provide an additional element of authentication, they pose a risk if they are used as a replacement for an authentication system that is already secured by two-factor authentication. This particularly affects digital banking. Unlike methods backed by dedicated hardware to securely legitimize transactions, authentication apps run on multi-purpose devices such as smartphones and tablets, and are thus exposed to the threat of malware. This vulnerability becomes particularly damaging if the online banking app and the authentication app are both running on the same device. In order to emphasize the risks that single-device mobile banking poses, we show a transaction manipulation attack on the app-based authentication schemes of Deutsche Bank, Commerzbank, and Norisbank. Furthermore, we evaluate whether the matrix code authentication method that these banks and Comdirect implement—widely known as photoTAN—is compliant with the upcoming Revised Payment Service Directive (PSD2) of the European Banking Authority (EBA).
Download

Paper Nr:	66
Title:	Relational Database Anonymization - A Model-driven Guiding Approach
Authors:	Feten Ben Fredj, Nadira Lammari and Isabelle Comyn-Wattiau
Abstract:	Personal data anonymization requires complex algorithms aiming at avoiding disclosure risk without compromising data utility. In this paper, we describe a model-driven approach guiding the data owner during the anonymization process. Depending on the step, the guidance is informative or suggestive. It helps in choosing the most relevant algorithm given the data characteristics and the future usage of anonymized data. It also helps in defining the best input values for the chosen algorithm. The contribution is twofold: a meta-model describing the anonymization process and components and an approach based on this meta-model. In this paper, we focus on microdata generalization algorithms. Both theoretical and experimental knowledge regarding anonymization is stored in an ontology. An experiment, conducted with sixteen participants allowing us to check the usability of the approach, is described.
Download

Short Papers

Paper Nr:	10
Title:	Prerequisite to Measure Information Security - A State of the Art Literature Review
Authors:	Rainer Diesch, Matthias Pfaff and Helmut Krcmar
Abstract:	The field of information security is growing in research and practice over the past years. Recent studies highlight a gap in measuring and monitoring information security. In this context various definitions and synonymous expressions exist to describe information security. The aim of the work is to compare and delimit the various terms in this field of research and give a thematic overview of current articles in place. In particular, five dimensions of information security are developed and outlined. Additionally, an overview of possible research directions in the field of measuring and monitoring information security is provided.
Download

Paper Nr:	11
Title:	Evaluation of Biometric Template Protection Schemes based on a Transformation
Authors:	Christophe Rosenberger
Abstract:	With more and more applications using biometrics, new privacy and security risks arise. New biometric schemes have been proposed in the last decade following a privacy by design approach: biometric template protection systems. Their quantitative evaluation is still an open research issue. The objective of this paper is to propose a new evaluation methodology for template protection systems based on a transformation by proposing some metrics for testing their performance and robustness to face attacks. These metrics enable us to estimate the probability of successful attacks considering different scenarios. We illustrate this evaluation methodology on two transformation based template protection schemes in order to show how some security and privacy properties can be checked by simulating attacks.
Download

Paper Nr:	14
Title:	Measuring Identity and Access Management Performance - An Expert Survey on Possible Performance Indicators
Authors:	Matthias Hummer, Sebastian Groll, Michael Kunz, Ludwig Fuchs and Günther Pernul
Abstract:	Currently existing digital challenges such as securing access, proof of compliance with regulations and improvement of business performance are urging companies to implement structured Identity and Access Management (IAM). Over the past decades, the introduction of IAM represented a critical task for companies trying to get their complex IT infrastructures comprising hundreds of systems, thousands of accounts and millions of access right assignments under control. However, once introduced, the identification of potential IAM malfunctions remains an unsolved challenge. Within this paper, we want to provide a first step into the direction of sustainable IAM maintenance, by introducing indicators that are able to capture the efficiency of a rolled-out IAM. We firstly derive IAM performance indicators via a structured scientific approach and later evaluate their relevance by surveying IAM experts.
Download

Paper Nr:	16
Title:	Securing the Flow - Data Flow Analysis with Operational Node Structures
Authors:	Michael Meinig and Christoph Meinel
Abstract:	After land, sea, air and space, cyberspace has become the fifth domain of warfare. Organizations recognize the need for protecting confidential, secret - classified – information. Competitors and adversaries turn to illegal methods to obtain classified information. They try to gain a competitive advantage or close a technological gap as well as reduce dependencies on others. Classified information involves facts, subject matters or knowledge needing to be kept secret, regardless of the way in which the information is depicted. In networks with different security classifications a direct physical connection is not allowed. Consequently the possibility of coupling different security domains in affected organizations must be checked comprehensively under security aspects. In this paper we present a new security approach that helps to identify threats at transitions and security zones on valid data flow paths. It can be used to display security challenges within organizations using classified information such as governmental or military organizations. The methodology also incorporates new attributes for data flows in connected systems or processes.
Download

Paper Nr:	24
Title:	Face Spoofing Detection for Smartphones using a 3D Reconstruction and the Motion Sensors
Authors:	Kim Trong Nguyen, Cathel Zitzmann, Florent Retraint, Agnès Delahaies, Frédéric Morain-Nicolier and Hoai Phuong Nguyen
Abstract:	Face recognition system is proven to be vulnerable to face spoofing attack. Many approaches have been proposed in the literature to resolve this vulnerability. This paper proposes a novel method dedicated to mobile systems. The approach asks users to capture a video by moving the device around their face. Thanks to a 3D reconstruction process, the shape of the object is estimated from the video. By evaluating this 3D shape, we can rapidly eliminate attacks in which a photo of a legitimate face is used. Then, the camera’s poses estimated from the 3D reconstruction is used to be compared to the data captured from the device’s motion sensors. Experimental results on a real database show the efficiency of the proposed approach.
Download

Paper Nr:	26
Title:	SAFEPASS - Presenting a Convenient, Portable and Secure Password Manager
Authors:	Onur Hakbilen, Piraveen Perinparajan, Michael Eikeland and Nils Ulltveit-Moe
Abstract:	SAFEPASS is a password manager implemented as a self-contained application, developed with principles and ideas based on industry best practices and analysis of existing popular password managers. All password managers try to solve the same problem of avoiding bad passwords and poor user habits when managing passwords. Security measures are from a high-level perspective similar across competing products, however, each of them have some deficiencies, although typically not the same. SAFEPASS aims at being an all-around good password manager for all purposes that avoid these deficiencies. It is based on modern technologies from the JavaScript and .NET ecosystem including React, Xamarin, and ASP.NET Core. By using the Flux architecture, SAFEPASS gives the average user ability to tweak most of its core functionality while staying within recommended security margins. Advanced users are also given room for customization through more technical security options. SAFEPASS does, in particular, have a focus on security, portability, convenience and good design.
Download

Paper Nr:	32
Title:	Cyber Threat Information Classification and Life Cycle Management using Smart Contracts
Authors:	Roman Graf and Ross King
Abstract:	Nowadays, cyber critical infrastructures (CIs) are increasingly targeted by highly sophisticated cyber attacks and should be protected. Advances in cyber situational awareness technology lead to the creation of increasingly complex tools. Human analysts face challenges finding relevant information in large, complex data sets, when exploring data to discover patterns and insights. To be effective in identifying and defeating future cyber-attacks, cyber analysts require novel tools for incident report classification and life cycle management that can automatically analyse and share result in secure way between CI stakeholders to achieve better situation comprehension. Our goal is to provide solutions in realtime that could replace human input for cyber incident classification and management tasks to eliminate irrelevant information and to focus on important information to promptly adopt suitable countermeasures in case of an attack. Another contribution relates to the provided support for document life cycle management that should reduce the number of manual operations and save storage space. In this paper we evaluate the application of so-called “smart contracts” to an incident classification system and assess its accuracy and performance. We demonstrate how the presented techniques can be applied to support incident handling tasks performed by security operation centers (SOCs).
Download

Paper Nr:	37
Title:	Towards Risk-aware Access Control Framework for Healthcare Information Sharing
Authors:	Mohamed Abomhara, Geir M. Køien, Vladimir A. Oleshchuk and Mohamed Hamid
Abstract:	Access control models play an important role in the response to insider threats such as misuse and unauthorized disclosure of the electronic health records (EHRs). In our previous work in the area of access control, we proposed a work-based access control (WBAC) model that strikes a balance between collaboration and safeguarding sensitive patient information. In this study, we propose a framework for risk assessment that extend the WBAC model by incorporating a risk assessment process, and the trust the system has on its users. Our framework determines the risk associated with access requests (user’s trust level and requested object’s security level) and weighting such risk against the risk appetite and risk threshold of situational conditions. Specifically, an access request will be permitted if the risk threshold outweighs the risk of granting access to information, otherwise it will be denied.
Download

Paper Nr:	38
Title:	A Risk-aware Access Control Model for Biomedical Research Platforms
Authors:	Radja Badji and Fida K. Dankar
Abstract:	Data sharing and collaboration are important success factors for modern biomedical research. As biomedical data contains sensitive information, any mechanism that governs biomedical data sharing should protect subjects’ privacy while providing high-utility data in an efficient and prompt manner. The use of biomedical data for research has been studied extensively from the legal aspect. Several regulations control its use and sharing to limit privacy risks. However, current sharing mechanisms can be a barrier to the research community needs. Going through the IRB process is time consuming and will become a bottleneck for the intensive data need of the biomedical research community. Alternatively, creating a universal de-identified research sub-dataset accessible through honest-broker-systems will not satisfy all research use-cases, as stringent de-identification methods can reduce data utility. A risk-aware access control model is a good alternative toward making data more available. In such a model, data requests are evaluated against their incurred privacy risks, and are granted access after the application of appropriate protection levels. In this paper, we describe a formal risk-aware model that will be used in the access control layer and describe the different risk components that can be combined to provide a decision against a data access request.
Download

Paper Nr:	39
Title:	Towards an Optimal Template Reduction for Securing Embedded Fingerprint Devices
Authors:	Benoît Vibert, Christophe Charrier, Jean-Marie Le bars and Christophe Rosenberger
Abstract:	Template protection is an important issue in biometrics for security and privacy reasons. One solution for securing fingerprint data is to store it on a Secure Element (a microcircuit chipset such as a smartcard). An embedded On-Card-Comparison (OCC) module permits to compare two biometric templates and generates a similarity score. The biometric template is usually composed of minutiae extracted from the fingerprint image because a Secure element is limited in terms of memory and computation capabilities. For these reasons, a template reduction is necessary to quickly process fingerprint comparison. In this paper, we propose a new fingerprint template reduction scheme by approximating the optimal choice of minutiae with a genetic algorithm. We compared the proposed method with approaches from the literature using a fingerprint dataset and three matching algorithms. The experimental results show the benefit of the proposed method especially in order to estimate the optimal performance when reducing the fingerprint template given a number of minutiae to use.
Download

Paper Nr:	41
Title:	Malicious PDF Documents Detection using Machine Learning Techniques - A Practical Approach with Cloud Computing Applications
Authors:	Jose Torres and Sergio De los Santos
Abstract:	PDF has been historically used as a popular way to spread malware. The file is opened because of the confidence the user has in this format, and malware executed because of any vulnerability found in the reader that parses the file and gets to execute code. Most of the time, JavaScript is involved in some way in this process, exploiting the vulnerability or tricking the user to get infected. This work aims to verify whether using Machine Learning techniques for malware detection in PDF documents with JavaScript embedded could result in an effective way to reinforce traditional solutions like antivirus, sandboxes, etc. Additionally, we have developed a base framework for malware detection in PDF files, specially designed for cloud computing services, that allows to analyse documents online without needing the document content itself, thus preserving privacy. In this paper we will present the comparison results between different supervised machine learning algorithms in malware detection and a overall description of our classification framework.
Download

Paper Nr:	45
Title:	Privacy-preserving Biometric Authentication Model for e-Finance Applications
Authors:	Christina-Angeliki Toli and Bart Preneel
Abstract:	Widespread use of biometric architectures implies the need to secure highly sensitive data to respect the privacy rights of the users. In this paper, we discuss the following question: To what extent can biometric designs be characterized as Privacy Enhancing Technologies? The terms of privacy and security for biometric schemes are defined, while current regulations for the protection of biometric information are presented. Additionally, we analyze and compare cryptographic techniques for secure biometric designs. Finally, we introduce a privacy-preserving approach for biometric authentication in mobile electronic financial applications. Our model utilizes the mechanism of pseudonymous biometric identities for secure user registration and authentication. We discuss how the privacy requirements for the processing of biometric data can be met in our scenario. This work attempts to contribute to the development of privacy-by-design biometric technologies.
Download

Paper Nr:	46
Title:	Alignment-free Cancellable Template Generation for Fingerprint based Authentication
Authors:	Rumana Nazmul, Md. Rafiqul Islam and Ahsan Raja Chowdhury
Abstract:	With the emergence and extensive deployment of biometric based user authentication system, ensuring the security of biometric template is becoming a growing concern in research community. One approach of securing biometric data is cancellable biometric which transforms the original biometric features into a non-invertible form for enrolment and matching. However, most of the schemes for generating cancellable template are alignment-based requiring an accurate alignment of query and enrolled images, which is very difficult to achieve. In this paper, we propose an alignment-free technique for generating revocable fingerprint template that exploits the local features i.e., minutiae details in a fingerprint image. A rotation and translation invariant values are extracted from the neighbouring region of each minutia. The invariant values are then used as inputs in a transformation function and combined with a stored and a user-specific key based random vectors using the type and orientation information of the minutiae. Hence, by varying the stored and user-specific keys in the transformation, multiple application-specific templates can be generated to preserve users’ privacy. Besides, if the transformed template is compromised, a new template can be reissued by assigning different keys for transformation to achieve revocability. Furthermore, the proposed approach preserves the actual geometric relationships between the enrolled and query templates even after transformation and offers reasonable recognition rate. Experiments conducted on FVC2000 DB1 demonstrate that the proposed method exhibits promising performance in terms of recognition accuracy, computational complexity, security along with diversity, revocability and non-invertibility that are the key issues of cancellable template generation.
Download

Paper Nr:	48
Title:	Is Bigger Safer? Analyzing Factors Related to Data Breaches using Publicly Available Information
Authors:	Ohud Alqahtani, Zhiyuan Chen, Qiong Huang and Karthik Gottipati
Abstract:	Data breaches have affected hundreds of millions of people. As consumers are exposed to constant risks of data breaches, it makes sense to ask what are the factors that contribute to data breaches such that consumers can make more conscious decisions to reduce risks. For example, suppose a consumer want to open a bank account, shall she use a bigger international bank or a smaller community bank considering risks of data breaches? Existing work on risk or vulnerability analysis typically requires detail internal information of an information system, which is not available to the public. Furthermore organizations typically do not want results of such analysis of their IT systems to be made public. This paper proposes a novel approach that analyzes publicly available information to identify factors contributing to higher data breach risks. This paper also presents an initial study that correlates data breaches in the US from 2005 to 2017 with publicly available information about affected organizations. We find that size and name recognition of these organizations are two factors contributing to higher data breach risks. This calls for further study in this direction.

Paper Nr:	51
Title:	Impact of Code Obfuscation on Android Malware Detection based on Static and Dynamic Analysis
Authors:	Alessandro Bacci, Alberto Bartoli, Fabio Martinelli, Eric Medvet, Francesco Mercaldo and Corrado Aaron Visaggio
Abstract:	The huge diffusion of malware in mobile platform is plaguing users. New malware proliferates at a very fast pace: as a matter of fact, to evade the signature-based mechanism implemented in current antimalware, the application of trivial obfuscation techniques to existing malware is sufficient. In this paper, we show how the application of several morphing techniques affects the effectiveness of two widespread malware detection approaches based on Machine Learning coupled respectively with static and dynamic analysis. We demonstrate experimentally that dynamic analysis-based detection performs equally well in evaluating obfuscated and non-obfuscated malware. On the other hand, static analysis-based detection is more accurate on non-obfuscated samples but is greatly negatively affected by obfuscation: however, we also show that this effect can be mitigated by using obfuscated samples also in the learning phase.
Download

Paper Nr:	53
Title:	Enhancing Security Education - Recognising Threshold Concepts and Other Influencing Factors
Authors:	Ismini Vasileiou and Steven Furnell
Abstract:	Users are frequently recognised as lacking a necessary level of security education, and even where efforts are made to provide it, they are rarely matched directly to the needs of the audience. This paper examines the gap between the typical provision of security education and what could be achieved via an approach that recognises differences between the individuals that are being targeted. The discussion highlights baseline areas of security literacy that are applicable to all users, but then illustrates how variations in individuals’ understanding of threshold concepts could complicate the task of delivering the related education. An approach is proposed in which security education becomes more tailored, recognising factors such as the user’s prior knowledge, learning style, and existing perception of security, leading to a personalised security education plan that is framed towards individual needs.
Download

Paper Nr:	54
Title:	Decoy Systems with Low Energy Bluetooth Communication
Authors:	Aaron Hunter and Kenneth C. K. Wong
Abstract:	We propose an architecture for a decoy system that uses low energy Bluetooth devices for communication. We argue that these devices can be effective not only due to low power consumption, but also because an attacker can not detect the signal from a distance. As such, information sent from the decoy system to a monitoring system is unlikely to be noticed by an attacker. We describe a physical system that we have developed for testing and experimentation with this approach. The results so far are promising both in terms of the effectiveness of monitoring, and also with respect to the hidden communication. Moreover, while the decoy system is high-interaction, it does not lead to any system interruption on the main system. Our system is novel in that it is developed from scratch, using low-cost hardware in a manner that accurately captures the way communication would happen in a real system. We discuss the advantages and limitations of our framework, and discuss possible approaches to establishing formal proofs of security for this kind of physical system.
Download

Paper Nr:	64
Title:	Towards a Cyber Security Label for SMEs: A European Perspective
Authors:	Christophe Ponsard, Jeremy Grandclaudon and Gautier Dallons
Abstract:	Most SMEs underestimate or minimize the cyber security risks they have to face. Moreover, they are not aware that the security context is changing rapidly at different levels. At legislative level, new reference frameworks are created such as the GDPR. At normative level, security standards are evolving and increasingly required. At technical level, threats and technologies are progressing in parallel making security control and management a complex task. This position paper presents our approach and current progress in developing a cyber security label for SMEs supported by accredited third party companies expert in this field. The pursued goal is to raise the awareness of SMEs w.r.t. cyber security and to help them achieving and maintaining an adequate level of protection. We position our work in the landscape of existing frameworks and similar labelling initiatives developed in other European countries.
Download

Paper Nr:	67
Title:	Secure Two-party Agglomerative Hierarchical Clustering Construction
Authors:	Mona Hamidi, Mina Sheikhalishahi and Fabio Martinelli
Abstract:	This paper presents a framework for secure two-party agglomerative hierarchical clustering construction over partitioned data. It is assumed that data is distributed between two parties horizontally, such that for mutual benefits both parties are willing to identify clusters on their data as a whole, but for privacy restrictions, they avoid to share their datasets. To this end, in this study, we propose general algorithms based on secure scalar product and secure hamming distance computation to securely compute the desired criteria in constructing clusters’ scheme. The proposed approach covers all possible secure agglomerative hierarchical clustering construction when data is distributed between two parties, including both numerical and categorical data.
Download

Paper Nr:	69
Title:	Querying Encrypted Graph Databases
Authors:	Nahla Aburawi, Alexei Lisitsa and Frans Coenen
Abstract:	We present an approach to execution of queries on encrypted graph databases. The approach is inspired by CryptDB system for relational DBs (R. A. Popa et al). Before processing a graph query is translated into encrypted form which then executed on a server without decrypting any data; the encrypted results are sent back to a client where they are finally decrypted. In this way data privacy is protected at the server side. We present the design of the system and empirical data obtained by experimentation with a prototype, implemented for Neo4j graph DBMS and Cypher query language, utilizing Java API. We report the efficiency of query execution for various types of queries on encrypted and non-encrypted Neo4j graph databases.
Download

Paper Nr:	73
Title:	Encryption Schemes based on a Single Permutation: PCBC, POFB, PCFB and PCTR
Authors:	Kaiyan Zheng and Peng Wang
Abstract:	In this paper we discuss how to construct encryption schemes from permutations. Firstly we discuss an intuitive way to design permutation-based encryption schemes, that is by combining mainstream blockcipherbased encryption modes (such as CBC, OFB, CFB, CTR) with the Even-Mansour cipher, which is an elegant permutation-based blockcipher. Unfortunately, most of encryption schemes produced by the combination strategy are not secure enough. Then we propose 4 permutation-based encryption schemes - PCBC, POFB, PCFB and PCTR, which can resist both the blockwise adaptive attack and the F-related-key attack when using a non-repeated nonce. To illustrate it, we give a definition of the indistinguishability from random bits against blockwise adaptive chosen plaintext attack in the F-related-key setting, and then prove the security of PCBC in such definition. The other 3 schemes have similar results. Constructing from a single permutation, these 4 encryption schemes are practical, in the sense that they are less prone to misuse, bring less pressure on the key-management in real world, and apply to blockwise adaptive scenarios including real-time applications, on-line settings, memory-restricted devices, etc. Moreover they are more efficient than the Sponge construction.
Download

Paper Nr:	76
Title:	A Test of Structured Threat Descriptions for Information Security Risk Assessments
Authors:	Henrik Karlzen, Johan Bengtsson and Jonas Hallberg
Abstract:	Assessing information security risks has proven difficult, with prevalent methods lacking clarity and resulting in assessments that vary with the rater. In this paper, we use a questionnaire based approach to investigate whether a more structured method, partitioning threat descriptions into smaller parts, can be useful. Although the new method did not result in less cognitive load, lower uncertainty, or overall reduced rater-dependency, there were strong indications that it lowered rater-dependency among raters with the highest expertise, reaching the consensus levels of experts in the intrusion detection domain. Conversely, non-experts seem to perform better with the traditional descriptive method. Caution is needed when interpreting this, as the Dunning-Kruger effect may have skewed the self-reporting of expertise. Further, the less certain raters were more prone to rate severity lower, indicating the missing variable of risk aversion. Moreover, other kinds of bias are discussed, and further structuring is proposed.
Download

Paper Nr:	77
Title:	Unsupervised Holiday Detection from Low-resolution Smart Metering Data
Authors:	Günther Eibl, Sebastian Burkhart and Dominik Engel
Abstract:	The planned Smart Meter rollout at a large scale has raised privacy concern. In this work for the first time holiday detection from smart metering data is presented. Although holiday detection may seem easier than occupancy detection, it is shown that occupancy detection methods must at least be adapted when used for holiday detection. A new, unsupervised method for holiday detection that applies classification algorithms on a suitable re-formulation of the problem is presented. Several algorithms were applied to a big, realistic smart metering dataset that – compared to existing datasets for occupancy detection – is unique in terms of number of households (869) and measurement duration (>1 year) and has a realistic low time resolution of 15 minutes. This allows for more realistic checks of seemingly plausible but unconfirmed assumptions. This work is merely a first starting point for further research in this area with more research questions raised than answered. While the results of the algorithms look plausible in a visual analysis, testing for data with ground truth is most importantly needed.
Download

Paper Nr:	79
Title:	Attack Tree for Modelling Unauthorized EMV Card Transactions at POS Terminals
Authors:	Dilpreet Singh, Ron Ruhl and Hamman Samuel
Abstract:	Europay, MasterCard and Visa (EMV) is a dominant protocol used for smart card payments worldwide, with over 730 million cards in circulation. One goal of the EMV protocol is to secure debit and credit transactions at a point-of-sale (POS) terminal, but still there are vulnerabilities, which can lead to unauthorized disclosure of cardholder data. This research paper will provide the reader with a single document listing the vulnerabilities leading to various possible attacks against EMV payment card transaction process at a POS terminal. Attack tree methodology will be used to document these vulnerabilities. This research will also provide the countermeasures against various possible attacks.
Download

Paper Nr:	5
Title:	Privacy Compliant Multi-biometric Authentication on Smartphones
Authors:	Alexandre Ninassi, Sylvain Vernois and Christophe Rosenberger
Abstract:	Smartphones are more and more used by Internet users for different services such as social networks, e-commerce or email. User authentication with passwords on such devices is not user-friendly and does not offer a high security level for this task. Biometrics is becoming one popular solution to achieve this goal with the embedding of fingerprint scanners in smartphones. In this paper, we propose a new protocol combining fingerprint and behavioral biometrics to enhance the security of user authentication while preserving usability and privacy. The behavior when entering a pattern based authentication on the smartphone touch screen is considered as a fast and usable solution for users. We think the proposed multi-biometric solution offers great advantages for many applications such as e-payment in terms of security, usability and privacy. We show through experimental results the efficiency of the proposed method.
Download

Paper Nr:	7
Title:	Automated Detection of the Early Stages of Cyber Kill Chain
Authors:	Ian Herwono and Fadi Ali El-Moussa
Abstract:	Early detection of cyber threats is critical for proactive network defence and protection against data, financial and reputation loss that could be caused by large-scale security breach. Continuous monitoring and in-depth analysis of related system and network events are required to achieve the objective. However cyber threat hunting activities are both time-consuming and labour-intensive; the prospect of being able to automate them effectively is thus worth exploring. In this paper we introduce the prototype of our attack detection tool for automating the process of discovering and correlating security events towards early threat detection. Its main objective is to facilitate continuous event monitoring and to alert security analysts whenever a series of detected events and activities may indicate early stages of a cyber kill chain. The process automation will reduce the load of human analysts and spare them valuable time to investigate more sophisticated, unknown attacks. We provide two use cases which describe the chain of tasks a security analyst would have to perform when investigating cyber incidents and trying to identify the systems targeted by potential attack. We then show how to create attack detection plans for those use cases and apply them on relevant datasets. We present the results produced by the tool and discuss our future work on context-aware classification of security events which aims to make the detection process more efficient.
Download

Paper Nr:	8
Title:	The Rapid Extraction of Suspicious Traffic from Passive DNS
Authors:	Wenbo Wang, Tianning Zang and Yuqing Lan
Abstract:	The network traffic is filled with numerous malicious requests, most of which is generated by amplified at-tacks, random subdomain name attacks and botnets. Through using DNS traffic for malicious behavior anal-ysis, we often need to test each domain alone. Besides, the amount of data is very large and simple filtering cannot quickly reduce the need to detect the number of domain names. As a result, it takes a lot of time to calculate on the premise of limited resources. Therefore, this paper introduces a extraction scheme for DNS traffic. We designed a simple and efficient method for extracting three kinds of attack traffic with the largest proportion of traffic. Besides, the method of statistics and classification was used to deal with all the traffic. We implemented a prototype system and evaluated it on real-world DNS traffic. In the meanwhile, as the recall rate reached almost 100%, the number of secondary domain names to be detected was reduced to 8% of the original quantity, and the DNS record to be detected was reduced to 1% of the original number.
Download

Paper Nr:	9
Title:	Modular Platform for Customer-Side Detection of BGP Redirection Attacks
Authors:	Marco Silva, António Nogueira and Paulo Salvador
Abstract:	Border Gateway Protocol (BGP) enables world-wide Internet connectivity and its inherent non-secure characteristics, together with the nonexistence of a trustable identity that correlates IP network prefixes with the Autonomous Systems (AS) allowed to announce them, opens the way to attacks or misconfiguration on a world-wide scale. Since corporate customers do not have access to the whole routing information used by Internet Service Providers (ISP), they can not act against these kind of attacks and must only rely on the ISP to promptly detect and take measures to mitigate them. This paper presents a world-wide distributed probing platform, with a simple and very low cost implementation, that can be used to detect traffic routing variations. Upon detection, the corporate customer can locally deploy security policies while notifying its network service provider(s) and requesting for further actions.
Download

Paper Nr:	12
Title:	Phishing Through Time: A Ten Year Story based on Abstracts
Authors:	Ana Ferreira and Pedro Vieira-Marques
Abstract:	For a researcher interested in phishing, it would be useful to access an overview of phishing evolution through time, where a set of methods, tools, solutions, user studies, type of attacks, countermeasures and so on, could be acquired from a single story. This story is essential for the security community to improve on existing research as well as build new effective countermeasures to face phishing attacks. However, no systematic review exists in the literature providing a wide overview of all phishing topics. Available reviews usually focus on one or two at a time. In fact, since there is widely available and varied literature on phishing, making a comprehensive review can take a long time and be cumbersome. This paper describes a method to perform a review on abstracts of 605 scientific papers selected from major online research databases, between 2006 and 2016. The study uses a qualitative categorization software to, for the first time, achieve a story of phishing trends in its existing research strands for that period. According to obtained results, no single solution for the phishing threat could yet be found and most research is turning now into more integrated socio-technical and human related solutions.
Download

Paper Nr:	19
Title:	A Cyber Safety Model for Schools in Mozambique
Authors:	Martina J. Zucule de Barros and Horst Lazarek
Abstract:	The use of the internet and Information Technology (IT) provide innumerable facilities for individuals. Children and young people are the most active group who use and explore all the facilities promoting their social well-being. However, all of these facilities also pose several risks especially for children and young people. Online dangers such as cyberbullying, child pornography and identify theft represent a danger for them. Thus, educate them about online dangers is a crucial aspect. Worldwide, especially in developed countries many initiatives have been implementing to raise awareness and educate children and young people how to behave safely in cyberspace. In developing countries for instance, in African countries these type of initiatives are at its infancy stages or does not exist. Currently, there is lack of these initiatives in Mozambique. Therefore, this paper proposes a cyber safety model for primary and secondary schools in Mozambique to address this gap and promote a cyber safety culture among children and young people.
Download

Paper Nr:	20
Title:	Hardware-based Cyber Threats
Authors:	Thiago Alves and Thomas Morris
Abstract:	During the last decade, cyber-security experts have been trying to mitigate attacks against computer networks and software. After the internet, the proliferation of thousands of virus, worms and trojans became easier, which then required enhancements for Operating Systems, browsers and anti-virus software in order to keep their users safe. However, what happens when the threat comes from the hardware? The Operating System trusts entirely in the hardware to perform its operations. If the hardware has been taken, it becomes much harder to regain control of the system. This paper describes eight different approaches to hardware attacks against software. It also demonstrates how to perform an attack using a USB device patched to behave like a generic HID Input Device, in order to insert malicious code in the system.
Download

Paper Nr:	22
Title:	Towards a Personal Identity Code Respecting Privacy
Authors:	D. Migdal and C. Rosenberger
Abstract:	Various applications on Internet require information on users, to verify their right to access services (verification of identity proofs s.a. passwords), to avoid attacks (s.a. paedophilia, profile usurpations), or to give trust to users (e.g. in social networks). In this paper, we introduce a method to generate (non-cryptographics) identity-based signatures computed from 1) collection of data from user biometrics, computer configuration, web browser fingerprinting, 2) data pre-processing, 3) protection of personal information through generation of a binary code (our signature). We illustrate the benefits of the proposed method with preliminary results on real personal information.
Download

Paper Nr:	23
Title:	Intrusion Detection System Test Framework for SCADA Systems
Authors:	Henrik Waagsnes and Nils Ulltveit-Moe
Abstract:	This paper presents a SCADA intrusion detection system test framework that simulates SCADA traffic and detects malicious network activity. The framework combines several existing components such as Kali Linux, Conpot, QTester104 and OpenMUC in a virtual machine based framework to provide realistic SCADA traffic. It is agnostic to Intrusion Detection System (IDS) type, and is demonstrated in a case study comparing two popular signature-based IDS engines: Suricata and Snort. The IDS engines include rule-sets for the IEC 60870-5-104 and other SCADA protocols. Detected events from IDS sensors are sent to a distributed Elastic cluster which visualises them using Kibana dashboards. The experiments show that there is some difference in behaviour between Suricata and Snort’s ability to detect malicious traffic using the same SCADA ruleset, but these issues are relatively easy to mitigate. The IDS test framework also measures the latency from detection and until the IDS alerts are presented in the incident management system, which shows that Suricata has slightly better performance than Snort.
Download

Paper Nr:	44
Title:	Novel Access Control Approach for Inter-organizational Workflows
Authors:	Asmaa El kandoussi and Hanan El bakkali
Abstract:	Inter-organizational workflows have become increasingly used by companies to improve their productivity by sharing resources and activities. These systems have proven their effectiveness in several areas. However, the sensitivity of the exchanged data, push participating organizations to set authorization rules in order to protect their data and processes. At this level, the cohabitation of different security policies arises as a problematic issue. In fact, how can we combine different or even conflicting policies with regard to privacy preserving and collaboration objectives? In this paper, we propose a new Inter-Organizational Workflow Based Access Control (IOW-BAC) approach. Besides, we present a new algorithm to resolve potential detected conflicts occurring during the composition of the global Access Control policy. This algorithm is based on a set of important parameters which are organization’s weight, object owner, task criticality and object sensitivity.
Download

Paper Nr:	47
Title:	Who’s Driving My Car? A Machine Learning based Approach to Driver Identification
Authors:	Fabio Martinelli, Francesco Mercaldo, Vittoria Nardone, Albina Orlando and Antonella Santone
Abstract:	Despite the development of new technologies, in order to prevent the stealing of cars, the number of car thefts is sharply increasing. With the advent of electronics, new ways to steal cars were found. To avoid auto-theft attacks, in this paper we propose a machine leaning based method to silently e continuously profile the driver by analyzing built-in vehicle sensors. We evaluate the efficiency of the proposed method in driver identification using 10 different drivers. Results are promising, as a matter of fact we obtain a high precision and a recall evaluating a dataset containing data extracted from real vehicle.
Download

Paper Nr:	52
Title:	AECID: A Self-learning Anomaly Detection Approach based on Light-weight Log Parser Models
Authors:	Markus Wurzenberger, Florian Skopik, Giuseppe Settanni and Roman Fiedler
Abstract:	In recent years, new forms of cyber attacks with an unprecedented sophistication level have emerged. Additionally, systems have grown to a size and complexity so that their mode of operation is barely understandable any more, especially for chronically understaffed security teams. The combination of ever increasing exploitation of zero day vulnerabilities, malware auto-generated from tool kits with varying signatures, and the still problematic lack of user awareness is alarming. As a consequence signature-based intrusion detection systems, which look for signatures of known malware or malicious behavior studied in labs, do not seem fit for future challenges. New, flexibly adaptable forms of intrusion detection systems (IDS), which require just minimal maintenance and human intervention, and rather learn themselves what is considered normal in an infrastructure, are a promising means to tackle today’s serious security situation. This paper introduces ÆCID, a new anomaly-based IDS approach, that incorporates many features motivated by recent research results, including the automatic classification of events in a network, their correlation, evaluation, and interpretation up to a dynamically-configurable alerting system. Eventually, we foresee ÆCID to be a smart sensor for established SIEM solutions. Parts of ÆCID are open source and already included in Debian Linux and Ubuntu. This paper provides vital information on its basic design, deployment scenarios and application cases to support the research community as well as early adopters of the software package.
Download

Paper Nr:	61
Title:	Malware Detection based on HTTPS Characteristic via Machine Learning
Authors:	Paul Calderon, Hirokazu Hasegawa, Yukiko Yamaguchi and Hajime Shimada
Abstract:	One of the major threat in today world are malwares that can infect computers. In order to prevent infection antimalwares softwares are installed but if the malware it is not detected at the installation it will probably never be detected. Behavioural analysis is necessary. Most of nowadays malwares connect to C&C servers by utilizing HTTP or HTTPS in order to receive orders. In this paper a method of behavioural analysis focus on the observation on HTTP and HTTPS network packets will be presented. This analysis is made by using machine learning. We evaluated our method by using 10-fold cross validations. The experimental result shows that precisions and recalls are more than 96% in average.
Download

Paper Nr:	62
Title:	Using Application Layer Metrics to Detect Advanced SCADA Attacks
Authors:	Peter Maynard, Kieran McLaughlin and Sakir Sezer
Abstract:	Current state-of-the-art intrusion detection and network monitoring systems have a tendency to focus on the ‘Five-Tuple’ features (protocol, IP src/dst and port src/dest). As a result there is a gap in visibility of security at an application level. We propose a collection of network application layer metrics to provide a greater insight into SCADA communications. These metrics are devised from an analysis of the industrial control system (ICS) threat landscape and the current state-of-the-art detection systems. Our metrics are able to detect a range of adversary capabilities which goes beyond previous literature in the SCADA domain.
Download

Paper Nr:	68
Title:	Back to the Drawing Board - Bringing Security Constraints in an Architecture-centric Software Development Process
Authors:	Stefanie Jasser, Katja Tuma, Riccardo Scandariato and Matthias Riebisch
Abstract:	Today, security is still poorly considered in early phases of software engineering. Architects and software engineers still lack knowledge about architectural security design as well as implementing it compliantly. However, a software system that is not designed for security or does not adhere to this design can hardly meet its security requirements. In this paper, we present an approach we are working on. The approach consists of two parts: Firstly, we improve the architecture’s security level through model transformation. Secondly, we derive rules and constraints from the secured architecture in order to check the implementation’s conformance. Through these activities we aim to support architects and software developers in building a secure software system. We plan to evaluate our approach in industrial case studies.
Download

Paper Nr:	74
Title:	Probability Preservation Property with Relative Error and Its Applications
Authors:	Yuanyuan Gao and Kunpeng Wang
Abstract:	Probability preservation property plays an important part role in security proofs of lattice based cryptography, which bounds the closeness of two probability distributions. Recent works revolve around different measures. We reform probability preservation properties with relative error which simplify analysis of the security reductions of preimage sampleable functions (PSFs) via different measures and demonstrate R´enyi divergence with order ¥ (RD¥) can coordinate performance with security well. We apply RD¥-based reduction to PSFs over lattices, which reduces the smoothing parameter of Gaussian sampling algorithm by a factor O( p l) without security loss. We further extend the optimized parameter to the secret extraction of identity-based encryption (IBE) over the general lattices by Gentry et al. in STOC 2008 and NTRU lattices proposed by Ducas et al. in Asiacrypt 2014. As a consequence, the size of secret key can be shortened by a factor O( p l) accordingly.
Download

Paper Nr:	78
Title:	A Framework for Web Application Integrity
Authors:	Pedro Fortuna, Nuno Pereira and Ismail Butun
Abstract:	Due to their universal accessibility, interactivity and scaling ease, Web applications relying on client-side code execution are currently the most common form of delivering applications and it is likely that they will continue to enter into less common realms such as IoT-based applications. We reason that modern Web applications should be able to exhibit advanced security protection mechanisms and review the research literature that points to useful partial solutions. Then, we propose a framework to support such characteristics and the features needed to implement them, providing a roadmap for a comprehensive solution to support Web application integrity.
Download