ICISSP 2023 Abstracts

Area 1 - Management and Operations

Full Papers

Paper Nr:	8
Title:	IVNPROTECT: Isolable and Traceable Lightweight CAN-Bus Kernel-Level Protection for Securing in-Vehicle Communication
Authors:	Shuji Ohira, Kibrom D. Araya, Ismail Arai and Kazutoshi Fujikawa
Abstract:	Cyberattacks on In-Vehicle Networks (IVNs) are becoming the most urgent issue. The Controller Area Network (CAN), one of the IVNs, is a standard protocol for automotive networks. Many researchers have tackled the security issues of CAN, such as the vulnerability of Denial-of-Service (DoS) attacks and impersonation attacks. Though existing methods can prevent DoS attacks, they have problems in deployment cost, isolability of a compromised Electronic Control Unit (ECU), and traceability for the root cause of isolation. Thus, we tackle to prevent DoS attacks on CAN. To solve these problems of the existing methods, we propose an isolable and traceable CAN-bus kernel-level protection called IVNPROTECT. IVNPROTECT can be installed on an ECU, which has a wireless interface, just by the software updating because it is implemented in the CAN-bus kernel driver. We also confirm that our IVNPROTECT can mitigate two types of DoS attacks without distinguishing malicious/benign CAN identifiers. After mitigating DoS attacks, IVNPROTECT isolates a compromised ECU with a security error state mechanism, which handles security errors in IVNPROTECT. And, we evaluate the traceability that an ECU with IVNPROTECT can report warning messages to the other ECUs on the bus even while being forced to send DoS attacks by an attacker. In addition, the overhead of IVNPROTECT is 9.049 µs, so that IVNPROTECT can be installed on insecure ECUs with a slight side-effect.
Download

Paper Nr:	62
Title:	Dark Ending: What Happens when a Dark Web Market Closes down
Authors:	Yichao Wang, Budi Arief and Julio Hernandez-Castro
Abstract:	As the economic hubs of (potentially) illegal transactions, dark web markets are fraught with uncertainty, including their ending. The ending of a dark web market can bring disruption to the stakeholders involved, especially vendors and buyers. Most importantly, there is a growing concern that such an ending can cause financial repercussions or even fraud victimisation. At the moment, there is scant published work about how, why or when dark web markets would end. We aim to fill this gap to help the academic and security research communities to reflect on what would typically happen to dark web markets in their final days. We used crawling and data scraping techniques to gather relevant weekly data from six dark web markets over a span of several months, right up to their closure. We then analysed the data to find common characteristics and predictive features leading to the closure of these markets. We found three main reasons for the ending of dark web markets: (i) exit scam, (ii) voluntary closure, or (iii) taken down by Law Enforcement Agencies (LEAs). We also gained further insights by analysing our data more closely. For instance, markets are most likely to be closed down when they are most visible, when they are under attack or when they are growing rapidly to their peak. In particular, more mature markets (i.e. markets that have been in operation for a long period of time) are more likely to disappear when their economic patterns start to change (for example, there might be a rapid growth or a sudden – or even gradual, but noticeable – economic decline). When a market was closed down, vendors and buyers would typically move on quickly to other alternative markets – which might grow rapidly as a result – and in turn, those alternative markets’ risk of being closed down would become higher. Whether a market is still accepting new vendors (or not) appears to be a valuable indicator for predicting the market’s next move. These insights can be useful in anticipating potential market closure, so that sufficient warning can be provided to avoid people being victimised.
Download

Paper Nr:	75
Title:	Exploring False Demand Attacks in Power Grids with High PV Penetration
Authors:	Ashish Neupane and Weiqing Sun
Abstract:	The push for renewable energy has certainly driven the world towards sustainability. However, the incorporation of clean energy into the electric power grid does not come without challenges. When synchronous generators are replaced by inverter based Photovoltaic (PV) generators, the voltage profile of the grid gets considerably degraded. The effect in voltage profile, added with the unpredictable generation capacity, and lack of good reactive power control eases opportunities for sneaky False Data Injection (FDI) attacks that could go undetected. The challenge is to differentiate these two phenomena. In this paper, an attack is explored in a grid environment with a high PV penetration, and challenges associated with designing a detector that accounts for inefficiencies that comes with it is discussed. The detector is a popular Kalman Filter based anomaly detection engine that tracks deviation from the predicted behaviour of the system. Chi-squared fitness test is used to check if the current states are within the normal bounds of operation. We identify the vulnerability in using static and dynamic threshold detectors which are directly affected by day-ahead demand prediction algorithms that have not been fully evolved yet. Finally, we use some of the widely used machine learning based anomaly detection algorithms to overcome the drawbacks of model-based algorithms.
Download

Paper Nr:	93
Title:	A Stochastic Game Model for Cloud Platform Security
Authors:	Lu Li, Lisheng Huang, Guanling Zhao, Kai Shi and Fengjun Zhang
Abstract:	The extensive use of virtualization technologies in cloud platforms has caused traditional security measures to partially fail. It was a hard struggle for static protection mechanisms to get work done in time when facing constantly evolving network threats. In this paper, an active defense approach is proposed to address the dynamic and variable security threats in cloud environment. Stochastic game model is introduced to model the cloud platform security elements. An attack-defense payoff function and matrix are also defined based on the features of the cloud platform. To accurately describe the attack action and the corresponding defense action, the overall attack graph and single-point defense graph are optimized. Based on proposed game model and attack-defense graph, the optimal defense strategy algorithm for the cloud platform is designed. The optimal defense strategy is obtained after a multi-stage stochastic game considering the long-term gain. Finally, the model’s reliability is evaluated using stochastic Petri nets and Markov chains. Experimental simulation demonstrates that the presented model outperforms the existing mainstream game models, such as the evolutionary game model and Bayesian game model, in terms of the optimal strategy, defense success rate, and steady-state availability.
Download

Paper Nr:	96
Title:	Systematic Literature Review of Threat Modeling Concepts
Authors:	Pedro A. Lohmann, Carlos Albuquerque and Raphael Machado
Abstract:	Threat Modeling (TM) has increased its relevance in cybersecurity risk management applied to software development, allowing developers to proactively identify and mitigate threats from various sources. In the present work, we execute a systematic literature research (SLR) on TM applied to cybersecurity. Population, Intervention, Comparison, Outcomes, Context (PICOC) criteria were used to define a research formula that was executed in three relevant digital libraries and was submitted to inclusion and exclusion criteria and a rigorous quality assessment, resulting in 16 papers that answered four research questions, which deeply defined key elements of TM, process steps, TM relation with risk management process existing in ISO 27005 and future perspectives for TM. This contribution supports the understanding of TM and its practical application when considering different existing models into real application development.
Download

Paper Nr:	107
Title:	t.ex-Graph: Automated Web Tracker Detection Using Centrality Metrics and Data Flow Characteristics
Authors:	Philip Raschke, Patrick Herbke and Henry Schwerdtner
Abstract:	The practice of Web tracking raised concerns of privacy activists and data protection authorities over the past two decades. Simultaneously, researchers propose multiple solutions based on machine learning to automatically detect Web trackers. These solutions, while proving to be promising, often remained proofs-of-concept. This paper proposes t.ex-Graph, a representation that models data flows between websites to detect Web trackers in a graph. We use a publicly available dataset containing HTTP/S requests from a crawl of the Tranco top 10K websites to extract our graph. In the second step, we feed our graph into multiple machine-learning models to predict nodes that carry out tracking activities. Our results show high accuracy of 88% and even detect yet unknown Web trackers. We publish our artifacts for fellow researchers to replicate, reproduce, and advance our results.
Download

Paper Nr:	119
Title:	Secure Joint Querying Over Federated Graph Databases Utilising SMPC Protocols
Authors:	Nouf Al-Juaid, Alexei Lisitsa and Sven Schewe
Abstract:	We present a methodology for secure joint querying over federated graph databases based on secure multiparty computation (SMPC). Using SMPC instead of (or in addition to) encryption lifts reliance on the security of the encryption mechanism. The secret keeping is, instead, guaranteed by an SMPC protocol that protects the information required to answer a given query so that it is not shared in full on any communication line. We have recently outlined how this could be done in principle in a position paper, albeit with a sluggish implementation with an enormous computational overhead that rendered it unusable in practice. In this paper, we proposed an approach by better integrating it with the SMPC protocol, implementing it in JIFF, and covering the joint functionalities and languages of Conclave, Neo4j Fabric, and APOC. When implementing our prototype, we demonstrate how small queries can be served in fractions of a second, thus improving the performance of secure joint querying by two orders of magnitude compared to the implementation in previous work while also significantly extending its set of supported queries.
Download

Short Papers

Paper Nr:	11
Title:	Cybersecurity Awareness and Capacities of SMEs
Authors:	Gencer Erdogan, Ragnhild Halvorsrud, Costas Boletsis, Simeon Tverdal and John B. Pickering
Abstract:	Small and Medium Enterprises (SMEs) are increasingly exposed to cyber risks. Some of the main reasons include budget constraints, the employees’ lack of cybersecurity awareness, cross-sectoral cyber risks, lack of security practices at organizational level, and so on. To equip SMEs with appropriate tools and guidelines that help mitigate their exposure to cyber risk, we must better understand the SMEs’ context and their needs. Thus, the contribution of this paper is a survey based on responses collected from 141 SMEs based in the UK, where the objective is to obtain information to better understand their level of cybersecurity awareness and practices they apply to protect against cyber risks. Our results indicate that although SMEs do apply some basic cybersecurity measures to mitigate cyber risks, there is a general lack of cybersecurity awareness and lack of processes and tools to improve cybersecurity practices. Our findings provide to the cybersecurity community a better understanding of the SME context in terms of cybersecurity awareness and cybersecurity practices, and may be used as a foundation to further develop appropriate tools and processes to strengthen the cybersecurity of SMEs.
Download

Paper Nr:	12
Title:	An Explainable Convolutional Neural Network for Dynamic Android Malware Detection
Authors:	Francesco Mercaldo, Fabio Martinelli and Antonella Santone
Abstract:	Mobile devices, in particular the ones powered by the Android operating system, are constantly subjected to attacks from malicious writers, continuously involved in the development of aggressive malicious payload aimed to extract sensitive and private data from our smartphones and mobile devices. From the defensive point of view, the signature-based approach implemented in current antimalware has largely demonstrated its inefficacy in fighting novel malicious payloads but also old ones, when attackers apply (even simple) obfuscation techniques. In this paper, a method aimed to detect malware attacking mobile platforms is proposed. We exploit dynamic analysis and deep learning: in particular, we design the representation of an application as an image directly generated from the system call trace. This representation is then exploited as input for a deep learning network aimed to discern between malicious or trusted applications. Furthermore, we provide a kind of explainability behind the deep learning model prediction, by highlighting into the image obtained from the application under analysis the areas symptomatic of a certain prediction. An experimental analysis with more than 6000 (malicious and legitimate) Android real-world applications is proposed, by reaching a precision of 0.715 and a recall equal to 0.837, showing the effectiveness of the proposed method. Moreover, examples of visual explainability are discussed with the aim to show how the proposed method can be useful for security analysts to better understand the application malicious behaviour.
Download

Paper Nr:	14
Title:	Machine Learning Based Prediction of Vulnerability Information Subject to a Security Alert
Authors:	Ryu Watanabe, Takashi Matsunaka, Ayumu Kubota and Jumpei Urakawa
Abstract:	The security alerts announced by various organizations can be used as an indicator of the severity and danger of vulnerabilities. The alerts are public notifications issued by security-related organizations or product/software vendors. The experts from such organizations determine whether it is a necessity of a security alert based on the published vulnerability information, threats, and publicized damages caused by the attacks to warn the public of high-risk vulnerabilities or cyberattacks. However, it may take some time between the disclosure of the vulnerability and the release of a security alert. If this delay can be shortened, it will be possible to guess the severity of the vulnerability earlier. For this purpose, the authors have proposed a machine learning method to predict whether a disclosed vulnerability is severe enough to publicize a security alert. In this paper, our proposed scheme and the evaluation we conduct to verify its accuracy are denoted.
Download

Paper Nr:	19
Title:	Towards Audit Requirements for AI-Based Systems in Mobility Applications
Authors:	Devi P. Alagarswamy, Christian Berghoff, Vasilios Danos, Fabian Langer, Thora Markert, Georg Schneider, Arndt von Twickel and Fabian Woitschek
Abstract:	Various mobility applications like advanced driver assistance systems increasingly utilize artificial intelligence (AI) based functionalities. Typically, deep neural networks (DNNs) are used as these provide the best performance on the challenging perception, prediction or planning tasks that occur in real driving environments. However, current regulations like UNECE R 155 or ISO 26262 do not consider AI-related aspects and are only applied to traditional algorithm-based systems. The non-existence of AI-specific standards or norms prevents the practical application and can harm the trust level of users. Hence, it is important to extend existing standardization for security and safety to consider AI-specific challenges and requirements. To take a step towards a suitable regulation we propose 50 technical requirements or best practices that extend existing regulations and address the concrete needs for DNN-based systems. We show the applicability, usefulness and meaningfulness of the proposed requirements by performing an exemplary audit of a DNN-based traffic sign recognition system using three of the proposed requirements.
Download

Paper Nr:	30
Title:	An Analysis of Cybersecurity Awareness Efforts for Swiss SMEs
Authors:	Ciarán Bryce
Abstract:	This paper analyzes cybersecurity awareness efforts for SMEs in Switzerland. We highlight some weaknesses in these efforts and propose avenues for improvement. Compared to existing work, e.g., (Alahmari and Duncan, 2020), we focus on attitudes and experience of experts trying to bring security to organizations rather than the organizations themselves.
Download

Paper Nr:	31
Title:	Using Infrastructure-Based Agents to Enhance Forensic Logging of Third-Party Applications
Authors:	Jennifer Bellizzi, Mark Vella, Christian Colombo and Julio Hernandez-Castro
Abstract:	Logs are the primary data source forensic analysts use to diagnose and investigate attacks on deployed applications. Since the default logs may not include all application events required during an investigation, application-specific forensic logging agents are used to forensically enhance third-party applications post-deployment and ensure that any critical events are logged. However, developing such application-specific agents is impractical as this relies on application-specific knowledge requiring significant code comprehension efforts. Furthermore, the resulting forensic logging agents are likely to break compatibility between application versions and across applications; thus, requiring the time-consuming process of agent re-development much more frequently. We propose a more practical approach to developing forensic logging agents that leverages commonly-used underlying infrastructure, which is more stable across application versions and common across different applications. We evaluate our approach in the context of enhanced logging of Android messaging apps. Our results show that this approach can be used to develop logging agents that work across multiple apps while preserving the accuracy of the logs generated, thus mitigating the challenges associated with forensically enhancing third-party applications.
Download

Paper Nr:	33
Title:	Systematically Searching for Identity-Related Information in the Internet with OSINT Tools
Authors:	Marcus Walkow and Daniela Pöhn
Abstract:	The increase of Internet services has not only created several digital identities but also more information available about the persons behind them. The data can be collected and used for attacks on digital identities as well as on identity management systems, which manage digital identities. In order to identify possible attack vectors and take countermeasures at an early stage, it is important for individuals and organizations to systematically search for and analyze the data. This paper proposes a classification of data and open-source intelligence (OSINT) tools related to identities. This classification helps to systematically search for data. In the next step, the data can be analyzed and countermeasures can be taken. Last but not least, an OSINT framework approach applying this classification for searching and analyzing data is presented and discussed.
Download

Paper Nr:	60
Title:	Bypassing Multiple Security Layers Using Malicious USB Human Interface Device
Authors:	Mathew Nicho and Ibrahim Sabry
Abstract:	The Universal Serial Bus (USB) enabled devices acts as a trusted tool for data interchange, interface, and storage for the computer systems through Human Interface Devices (HID) namely the keyboard, mouse, headphone, storage media and peripherals that use the USB port. However, with billions of USB enabled devices currently in use today, the attacker’s potential to seamlessly leverage this device to perform malicious activities by bypassing security layers presents serious risk to systems administrators. The paper thus presents a comprehensive review of the multiple attacks that can be leveraged using USB devices and the corresponding vulnerabilities including countermeasures. This is followed by the demonstration of five attacks to validate the threat and the associated vulnerabilities by bypassing four security layers namely (1) two server operating system (OS) controls, (2) one group policy control, and (3) antivirus. The attack was performed by plugging in a USB that is connected with the Arduino Micro board to install three differently crafted malwares into the victim machine (Windows Server 2012). As a result, the Arduino device that has been programmed to act like a Human Interaction Device (HID) was able to bypass all the four layers successfully, with execution on the first three layers. The attack-vulnerability theoretical model, the demonstration of the five attacks, and the subsequent analysis of the attacks provide academics with multiple domains (countermeasures) for further research, as well as practitioners to focus on critical IT controls.
Download

Paper Nr:	79
Title:	Evaluation of Persistence Methods Used by Malware on Microsoft Windows Systems
Authors:	Amélie Dieterich, Matthias Schopp, Lars Stiemert, Christoph Steininger and Daniela Pöhn
Abstract:	The usage of persistence methods has become common, as adversaries seek to remain undetected with their malware on systems for longer periods. This raises the question of how effective frequently used persistence methods are across different versions of the Microsoft Windows operating system. To answer this question, a metric is developed by which persistence methods can be quantitatively evaluated and compared. The metric is subsequently applied to eight persistence mechanisms across four different Microsoft Windows operating systems. In our results, there is no difference in the performance of methods between operating systems and a majority of mechanisms scored similarly overall. There is, however, a significant decline in performance when defensive mechanisms are enabled. The results emphasize the effectiveness of basic persistence methods of Microsoft Windows operating systems.
Download

Paper Nr:	85
Title:	Assessing Security and Privacy Insights for Smart Home Users
Authors:	Samiah Alghamdi and Steven Furnell
Abstract:	Recently, the number and range of Internet-connected devices have increased rapidly, especially due to adoption of the Internet of Things and smart home contexts. As a result, users can find themselves needing to be concerned with the security and privacy of an increasing range of devices. This paper explores the challenges that users can face in understanding and using the related features on their devices. The first element of the work is approached by assessing the user-facing materials (e.g., instruction manuals and online guidance) for a wide variety of smart home devices to determine the extent to which security and privacy aspects (and related features) are highlighted and explained. Having established that the situation is inconsistent, the work proceeds to assess the user experience in practice, by examining how easily a series of security and privacy-related tasks may be accomplished via three alternative smart speakers. The findings highlight further inconsistency and suggest that users could face considerable challenges keeping track of security settings and status of multiple devices across a smart home, and the need for information to be presented in a more coherent form.
Download

Paper Nr:	95
Title:	A Scenario-Driven Cyber Security Awareness Exercise Utilizing Dynamic Polling: Methodology and Lessons Learned
Authors:	Maria Leitner
Abstract:	As cyber security capabilities are becoming more relevant for society, the need for cyber security skills and teaching methods have increased. For example, cyber security exercises have emerged to train and test skills and abilities of people in emergency situations (e.g., under cyber attacks). While cyber security knowledge has become essential for everyone, we propose a cyber security awareness exercise that targets people with or without cyber security knowledge. Our novel approach uses dynamic surveys to visualize decisions during the exercise. In this paper, we describe the idea behind the exercise and specify the design, implementation and evaluation of this method. We validate our methodology with a cloud-based implementation that enables a low-barrier entry and a responsive design for the participants. We apply our methodology to four case studies. Our findings show that this methodology is an easy tool for organizers and helps participants to learn about cyber security. For future work, we aim to develop the methodology further and increase the scenarios to conduct more experiments with a diverse audience.
Download

Paper Nr:	121
Title:	Anomalous File System Activity Detection Through Temporal Association Rule Mining
Authors:	M. Reza H. Iman, Pavel Chikul, Gert Jervan, Hayretdin Bahsi and Tara Ghasempouri
Abstract:	NTFS USN Journal tracks all the changes in the files, directories, and streams of a volume for various reasons including backup. Although this data source has been considered a significant artifact for digital forensic investigations, the utilization of this source for automatic malicious behavior detection is less explored. This paper applies temporal association rule mining to data obtained from the NTFS USN Journal for malicious behavior detection. The proposed method extracts association rules from two data sources, the first one with normal behavior and the second one with a malicious one. The obtained rules, which have embedded the sequence of information, are compared with respect to their support and confidence values to identify the ones indicating malicious behavior. The method is applied to a ransomware case to demonstrate its feasibility in finding relevant rules based on USN journal activities.
Download

Paper Nr:	127
Title:	StegWare: A Novel Malware Model Exploiting Payload Steganography and Dynamic Compilation
Authors:	Daniele Albanese, Rosangela Casolare, Giovanni Ciaramella, Giacomo Iadarola, Fabio Martinelli, Francesco Mercaldo, Marco Russodivito and Antonella Santone
Abstract:	Android is the most widely used mobile operating system in the world. Due to its popularity, has become a target for attackers who are constantly working to develop aggressive malicious payloads aimed to steal confidential and sensitive data from our mobile devices. Despite the security policies provided by the Android operating system, malicious applications continue to proliferate on official and third-party markets. Unfortunately, current anti-malware software is unable to detect the so-called zero-day threats due to its signature-based approach. For this reason, it is necessary to develop methods aimed to enforce Android security mechanisms. With this in mind, in this paper we highlight how a series of features available in current high-level programming languages and typically used for totally legitimate purposes, can become a potential source of malicious payload injection if used in a given sequence. To demonstrate the effectiveness to perpetrate this attack, we design a new malware model that takes advantage of several Android features inherited from the Java language, such as reflection, dynamic compilation, and dynamic loading including steganographic techniques to hide the malicious payload code. We implement the proposed malware model in the Stegware Android application. In detail, the proposed malware model is based, on the app side, on the compilation and execution of Java code at runtime and, from the attacker side, on a software architecture capable of making the new malware model automatic and distributed. We evaluate the effectiveness of the proposed malware model by submitting it to 73 free and commercial antimalware, and by demonstrating its ability to circumvent the security features of the Android operating systems and the current antimalware detection.
Download

Paper Nr:	130
Title:	A Biometric Self Authentication Scheme
Authors:	Hervé Chabanne
Abstract:	Biometric authentication systems aim to authenticate users with their physiological characteristics. They have to deal with the inherent noise that occurs when biometric data from the same individual are captured several times. Leveraging verifiable computation techniques, we introduce a new biometric authentication scheme where users bring proofs of who they pretend to be, while keeping their biometrics. Experimental results show that our scheme is practical. We detail a real-life use-case of our anonymous self-scan protocol.
Download

Paper Nr:	137
Title:	A Self-Configuration Controller To Detect, Identify, and Recover Misconfiguration at IoT Edge Devices and Containerized Cluster System
Authors:	Areeg Samir and Håvard Dagenborg
Abstract:	Misconfiguration of IoT edge devices and containerized backend components can lead to various complications like performance degradation, non-compliant data flows, and external vulnerabilities. In this paper, we propose a self-configurable cluster controller that uses the hierarchical hidden Markov model to detect, identify, and recover from misconfiguration at the container and network communication level. Our experimental evaluations show that our controller can reduce the effects of misconfiguration and improves system performance and reliability.
Download

Paper Nr:	142
Title:	Assessing Risk in High Performance Computing Attacks
Authors:	Erika Leal, Cimone Wright-Hamor, Joseph Manzano, Nicholas Multari, Kevin Barker, David Manz and Jiang Ming
Abstract:	High-Performance Computing (HPC) systems are used to push the frontier of science. However, the security of these systems remains a significant concern as the number of cyber-attacks on HPC systems have increased. Attacks on HPC systems can threaten data confidentiality, integrity, and system availability. Thus, if left unaddressed, these threats could decrease the ability to push the frontier of science. While HPC and enterprise systems are found to have similar threats, traditional security solutions are insufficient for HPC systems. This research examines HPC attacks by using NIST Special Publication 800-30r1: Guide to Conducting Risk Assessments to create a generalized threat profile. A threat profile characterizes the threat sources and adversarial outsiders and is used to identify traditional security solutions that could mitigate risks. Results demonstrated that attacks originated at the login nodes, followed by coordinated campaigns that propagated the attacks across organizational systems. The traditional security solutions that could be used to protect the login nodes negatively impact HPC performance. These performance impacts impede the ability to push the frontier of science. As a result, these security solutions are unlikely to be deployed in HPC systems.
Download

Paper Nr:	52
Title:	How to Design a Blue Team Scenario for Beginners on the Example of Brute-Force Attacks on Authentications
Authors:	Andreas Eipper and Daniela Pöhn
Abstract:	Cyber attacks are ubiquitous and a constantly growing threat in the age of digitization. In order to protect important data, developers and system administrators must be trained and made aware of possible threats. Practical training can be used for students alike to introduce them to the topic. A constant threat to websites that require user authentication is so-called brute-force attacks, which attempt to crack a password by systematically trying every possible combination. As this is a typical threat, but comparably easy to detect, it is ideal for beginners. Therefore, three open-source blue team scenarios are designed and systematically described. They are contiguous to maximize the learning effect.
Download

Paper Nr:	59
Title:	A k-Anonymization Method for Social Network Data with Link Prediction
Authors:	Risa Sugai, Yuichi Sei, Yasuyuki Tahara and Akihiko Ohsuga
Abstract:	Recently, social networking services have come to pervade every aspect of our lives, increasing the demand for the utilization of social network data. However, since the utilization of social network data has the risk of personal identification, k-anonymization methods have been proposed to protect privacy as a solution. In addition, the actual data contains missing values, which may reduce the utility of the data by applying conventional methods. In this paper, we propose a method for k-anonymization of social network data with link prediction, with the aim of improving the utility of anonymized data. Based on evaluation experiments on real data, we examine the utility of anonymized data.
Download

Paper Nr:	61
Title:	Evaluation of a Tool to Increase Cybersecurity Awareness Among Non-experts (SME Employees)
Authors:	Kaiying Luan, Ragnhild Halvorsrud and Costas Boletsis
Abstract:	Humans are the weak link in cybersecurity, hence, this paper considers the human factor in cybersecurity and how the customer journey approach can be used to increase cybersecurity awareness. The Customer Journey Modelling Language (CJML) is used to document and visualise a service process. We expand the CJML formalism to encompass cybersecurity and develop an easy-to-use web application as a supporting tool for training and awareness. We present the results from the usability test with ten persons in the target group and report on usability and feasibility. All participants managed to finish the test, and most participants indicated that the tool was easy to use. By using the tool, non-expert users can make user journey diagrams showing basic conformance in a short time without professional training. For the threat diagram, half of the users achieved full conformance. In conclusion, the tool can serve as low-threshold cybersecurity awareness training for SME employees. We discuss the limitations and validity of the results and future work to improve the tool’s usability.
Download

Paper Nr:	64
Title:	The Story of Safety Snail and Her e-Mail: A Digital Wellness and Cybersecurity Serious Game for Pre-School Children
Authors:	Günther R. Drevin, Dirk P. Snyman, Lynette Drevin, Hennie A. Kruger and Johann Allers
Abstract:	Cyber threats are part of our everyday life. Even children are exposed to cyberspace as they are provided with electronic devices that have online connectivity. Due to their vulnerability and lack of education about cyber threats, there is a need to address their digital wellness. Digital wellness refers to one’s complete well-being in cyberspace. This is a balance between one’s mental and physical state when using different digital technologies. This is achieved by developing a serious game that incorporates educational and game elements appropriate to the targeted age group. The aim of this paper is to present aspects of this game, in which the story of “Safety Snail’s e-mail” is used to address their digital wellness regarding e-mail related threats as an example of online interaction. The methods used were, designing and developing a serious game based on critical game elements from literature, and making use of a structured expert review to validate the game and elements thereof. The review indicated that the critical game elements as identified in literature were successfully used in the game. This research further contributes by identifying five additional game elements through analysis of the expert review feedback. It is shown in this paper how a serious game, using critical game elements and age appropriate stories, can address the digital wellness of pre-school children.
Download

Paper Nr:	86
Title:	On the Design of GDPR Compliant Workflows for Responsible Neuroimage Data Sharing
Authors:	Alexandros Karakasidis and Vassilios Vassalos
Abstract:	Sharing medical data may facilitate advancing research as this may allow understanding the mechanisms of certain diseases, develop new drugs and medication schemes and find cures. However, as these data originate from humans, the issue of individual privacy rises since certain data modalities, as Neuroimages, if not properly curated, may reveal the identity of the individual described by these data As legislation around the globe attempts to set rules for protecting privacy, techniques and methodologies have been proposed to allow for data publishing, also complying with the law. In this paper, we aspire to provide practitioners with workflows for ethical neuroimage data publishing under the GDPR, EU’s latest data protection regulation.
Download

Paper Nr:	87
Title:	Human Factors for Cybersecurity Awareness in a Remote Work Environment
Authors:	César V. Flores, Jose Gonzalez, Miranda Kajtazi, Joseph Bugeja and Bahtijar Vogel
Abstract:	The conveniences of remote work are various, but a surge in cyberthreats has heavily affected the optimal processes of organizations. As a result, employees’ cybersecurity awareness was jeopardized, prompting organizations to require improvement of cybersecurity processes at all levels. This paper explores which cybersecurity aspects are more relevant and/or relatable for remote working employees. A qualitative approach via interviews is used to collect experiences and perspectives from employees in different organizations. The results show that human factors, such as trust in cybersecurity infrastructure, previous practices, training, security fatigue, and improvements with gamification, are core to supporting the success of a cybersecurity program in a remote work environment.
Download

Paper Nr:	98
Title:	Cyber Teaching Hospitals: Developing Cyber Workforce Competence
Authors:	James R. Elste and David Croasdell
Abstract:	The cybersecurity profession suffers from a crisis commonly referred to as the “Cyber Skills Gap.” The crisis highlights the dramatic shortage of cybersecurity awareness and skills in the modern workforce. This manuscript presents an alternative approach to the current cybersecurity educational paradigm. We propose a novel solution that would establish a system of cyber teaching hospitals. We provide an overview of the history and development of medical teaching hospitals and extrapolate the model to the cyber security domain. Incorporating the Conscious Competence model into the development of practical skills in a Cyber Teaching Hospital provides a structure for experiential learning and the acquisition of cybersecurity skills.
Download

Paper Nr:	99
Title:	Correlating Intrusion Detection with Attack Graph on Virtual Computer Networkings
Authors:	Hanwen Zhang, Wenyong Wang, Lisheng Huang, Junrui Wu, Fengjun Zhang and Kai Shi
Abstract:	Securing a computer networking system requires the ability to gather and organise information about potential vulnerabilities existing in the system. One way of utilising the information above is to generate an attack graph of all possible attack paths. Current attack graph generation methods reach scalability issue with the growth of network devices and links, and one solution is to correlate attack graph with intrusion detection systems. However, correlation techniques are rarely studied especially on generating attack graphs on virtual computer networks, as correlations are inflexible to be integrated to existing attack graph generators. Previously we proposed mAGG, an attack graph generation framework on virtual networkings; and LSAFID, an intrusion detection system based on doc-word. In this paper, we propose a new method for correlating intrusion detection algorithm for attack graph generation on virtual networkings. Our new proposed method is flexible in network architectures and functionalities, and shortens the scale of generated attack graph.
Download

Paper Nr:	115
Title:	A Game Theoretic Analysis of Cyber Threats
Authors:	Paul Tavolato, Robert Luh and Sebastian Eresheim
Abstract:	Cyber threat analysis is crucial to securing modern IT systems. In the ongoing project described here a strictly mathematical method for threat analysis is sketched. The threat landscape between an attacker (hacker) and a defender (system owner) is modeled along the formalisms of stochastic game theory, thus opening the way for a rigorous formal analysis. The key benefit of the project is its applicability to real-world situations. Therefore, the information about possible attack and defense actions is taken from several proven data sources resulting in a large number of actions (173 attack actions and 115 defense actions). We present an adaptation of the so-called Princess-and-Monster game to model the problem. Various problems with the formalization are discussed. To keep the model manageable despite the claim of practicality, it is applied only to specific scenarios mimicking real-world situations.
Download

Area 2 - Technologies and Foundations

Full Papers

Paper Nr:	13
Title:	Towards a Rust SDK for Keystone Enclave Application Development
Authors:	Jukka Julku and Markku Kylänpää
Abstract:	Secure enclaves are commonly used for securing sensitive data and computation. However, an enclave can only be trusted if the software running in the enclave is secure. Nevertheless, enclave software is often written in low-level languages that are prone to vulnerabilities. As the number of enclave application developers grows, more attention must be paid to secure software development. The use of safe programming languages could be one step towards more secure trusted software. In this paper, we discuss our work towards a Rust programming language SDK for Keystone enclave application development. In addition, we present early performance measurements of the SDK compared to the original Keystone SDK written in the C/C++ languages.
Download

Paper Nr:	20
Title:	Tracing Cryptographic Agility in Android and iOS Apps
Authors:	Kris Heid, Jens Heider, Matthias Ritscher and Jan-Peter Stotz
Abstract:	Cryptography algorithms are applicable in many use cases such as for example encryption, hashing, signing. Cryptography has been used since centuries, however some cryptography algorithms have been proven to be easily breakable (under certain configurations or conditions) and should thus be avoided. It is not easy for a developer with little cryptographic background to choose secure algorithms and configurations from the plenitude of options. Several publications already proved the disastrous cryptographic quality in mobile apps in the past. In this publication we research how cryptography of the top 2000 Android and iOS applications evolved over the past three years. We analyze at the example of the weak AES/ECB mode how and why apps changed from an insecure to a secure configuration and vice versa.
Download

Paper Nr:	40
Title:	Clipaha: A Scheme to Perform Password Stretching on the Client
Authors:	Francisco B. Izquierdo Riera, Magnus Almgren, Pablo Picazo-Sanchez and Christian Rohner
Abstract:	Password security relies heavily on the choice of password by the user but also on the one-way hash functions used to protect stored passwords. To compensate for the increased computing power of attackers, modern password hash functions like Argon2, have been made more complex in terms of computational power and memory requirements. Nowadays, the computation of such hash functions is performed usually by the server (or authenticator) instead of the client. Therefore, constrained Internet of Things devices cannot use such functions when authenticating users. Additionally, the load of computing such functions may expose servers to denial of service attacks. In this work, we discuss client-side hashing as an alternative. We propose Clipaha, a client-side hashing scheme that allows using high-security password hashing even on highly constrained server devices. Clipaha is robust to a broader range of attacks compared to previous work and covers important and complex usage scenarios. Our evaluation discusses critical aspects involved in client-side hashing. We also provide an implementation of Clipaha in the form of a web library 1 and benchmark the library on different systems to understand its mixed JavaScript and WebAssembly approach’s limitations. Benchmarks show that our library is 50% faster than similar libraries and can run on some devices where previous work fails.
Download

Paper Nr:	57
Title:	Use-Case Denial of Service Attack on Actual Quantum Key Distribution Nodes
Authors:	Patrik Burdiak, Emir Dervisevic, Amina Tankovic, Filip Lauterbach, Jan Rozhon, Lukas Kapicak, Libor Michalek, Dzana Pivac, Merima Fehric, Enio Kaljic, Mirza Hamza, Miralem Mehic and Miroslav Voznak
Abstract:	QKD integration into traditional telecommunication networks is anticipated in the upcoming decades in order to maintain adequate levels of communication security. QKD establishes ITS (Information-Theoretic secure) symmetric keys between the two parties, which they may use to sustain secure flow of data even in the post-quantum era. Since QKD-keys are a valuable and scarce resource, they must be carefully maintained. This paper investigates DoS attacks on actual QKD equipment, in which an adversary with access to QKD services depletes the reserves of QKD-keys maintained at the KMS system. As a result, safety precautions are proposed in order to prevent this scenario and maintain operational QKD service.
Download

Paper Nr:	70
Title:	Data Leakage in Isolated Virtualized Enterprise Computing Systems
Authors:	Zechariah Wolf, Eric C. Larson and Mitchell A. Thornton
Abstract:	Previous literature has shown the effectiveness of power analysis as a side channel attack on cryptosystems. Power analysis is performed using an oscilloscope to measure power consumption information from hardware utilized during cryptographic algorithms, in order to extract an encryption key. In this paper, we further explore the potential of power analysis of side channels for leaking information in enterprise computing systems. By applying the concept of power analysis more broadly to the power consumption of an entire server rack, rather than individual hardware components, we find that basic patterns in system load can be clearly identified using signal processing techniques, demonstrating a potential side channel.
Download

Paper Nr:	84
Title:	SPA Attack on NTRU Protected Implementation with Sparse Representation of Private Key
Authors:	Tomáš Rabas, Jiří Buček and Róbert Lórencz
Abstract:	NTRU is a post-quantum public-key, lattice-based cryptosystem. Several suggested implementations claim to be simple-power analysis resistant. One of these implementations was described in (An et al., 2018) using a sparse representation of a private key and a new design of an algorithm for the multiplication of polynomials. We show that it is still vulnerable. We theoretically explain a vulnerability in the algorithm description that could potentially lead to a single-trace attack. We practically perform the attack on two targets with different architectures: an 8-bit microcontroller of the AVR family and a 32-bit microcontroller ARM Cortex-M0. Statistical analysis performed on the second target, measured by the ChipWhisperer platform, shows that with a chance of 91.0% we get the correct key just from one measured trace. Ability to get two measurements raises our probability of a successful attack up to 99.6%.
Download

Paper Nr:	103
Title:	On the Use of Multiple Approximations in the Linear Cryptanalysis of Baby Rijndael
Authors:	Josef Kokeš and Róbert Lórencz
Abstract:	In this paper, we follow up on our previous research on the resistance of Baby Rijndael, a reduced AES variant, to linear cryptanalysis. We address the issue of relatively low accuracy of the recovery of the encryption key by exploiting multiple linear approximations at once to deduce the correct bit of the key. We try several different methods with varying degree of success, with the final technique increasing the average accuracy of the recovery of the bit of the key to over 82 % in the best case. However, even that technique is not capable of breaking the cipher with less effort than the brute force.
Download

Paper Nr:	104
Title:	Automating Vehicle SOA Threat Analysis Using a Model-Based Methodology
Authors:	Yuri G. Dantas, Simon Barner, Pei Ke, Vivek Nigam and Ulrich Schöpp
Abstract:	This article proposes automated methods for threat analysis using a model-based engineering methodology that provides precise guarantees with respect to safety goals. This is accomplished by proposing an intruder model for automotive SOA which together with the system architecture and the loss scenarios identified by safety analysis are used as input for computing assets, impact rating, damage/threat scenarios, and attack paths. To validate the proposed methodology, we developed a faithful model of the autonomous driving functions of the Apollo framework, a widely used open source autonomous driving stack. The proposed machinery automatically enumerates several attack paths on Apollo, including attack paths not reported in the literature.
Download

Paper Nr:	105
Title:	PDIFT: A Practical Dynamic Information-Flow Tracker
Authors:	Michael Kiperberg, Aleksei Rozman, Aleksei Kuraev and Nezer Zaidenberg
Abstract:	We present PDIFT, a hybrid dynamic information-flow tracker. PDIFT is based on a thin hypervisor, which tracks information in coarse granularity but has a negligible performance overhead. PDIFT switches to its internally embedded emulator when the information is accessed and needs to be tracked with finer granularity. Using the combination of a thin hypervisor with an embedded emulator, we achieved a significant improvement in the overall performance. We believe that PDIFT can be used as an extension to the Android base DIFT systems that currently struggle with native code tracking.
Download

Paper Nr:	123
Title:	Automata-Based Study of Dynamic Access Control Policies
Authors:	Ahmed Khoumsi
Abstract:	Access control policies (more briefly: policies) are used to filter accesses to resources. A policy is usually defined by a table of rules that specify which access requests (more briefly: requests) must be accepted and which ones must be rejected. In this paper, we study dynamic policies which do not have a common definition in the scientific community, but whose basic intuition is that the decision to accept or reject a request rq depends not only on rq, but also on the history of what have preceded rq. In our case, it is the history of events and requests that precede rq. An event indicates that a specific condition has just been met, for example “it is midnight”. We formally specify the history of events and requests by associating a guard and an assignment to each rule, and an assignment to each event. We show how to model, execute and analyze dynamic policies using an automata-based approach. In the analysis, we verify several properties of a dynamic policy, such as nonblocking, completeness, and absence of conflict. Deterministic as well as nondeterministic policies are considered.
Download

Paper Nr:	128
Title:	A Framework for Assessing Decompiler Inference Accuracy of Source-Level Program Constructs
Authors:	Jace Kline and Prasad Kulkarni
Abstract:	Decompilation is the process of reverse engineering a binary program into an equivalent source code representation with the objective to recover high-level program constructs such as functions, variables, data types, and control flow mechanisms. Decompilation is applicable in many contexts, particularly for security analysts attempting to decipher the construction and behavior of malware samples. However, due to the loss of information during compilation, this process is naturally speculative and prone to inaccuracy. This inherent speculation motivates the idea of an evaluation framework for decompilers. In this work, we present a novel framework to quantitatively evaluate the inference accuracy of decompilers, regarding functions, variables, and data types. We develop a domain-specific language (DSL) for representing such program information from any “ground truth” or decompiler source. Using our DSL, we implement a strategy for comparing ground truth and decompiler representations of the same program. Subsequently, we extract and present insightful metrics illustrating the accuracy of decompiler inference regarding functions, variables, and data types, over a given set of benchmark programs. We leverage our framework to assess the correctness of the Ghidra decompiler when compared to ground truth information scraped from DWARF debugging information. We perform this assessment over all the GNU Core Utilities (Coreutils) programs and discuss our findings.
Download

Paper Nr:	129
Title:	Fast-Flux Malicious Domain Name Detection Method Based on Domain Resolution Spatial Features
Authors:	Shaojie Chen, Bo Lang and Chong Xie
Abstract:	Fast-Flux malicious domain names evade detection by quickly changing the resolved IP addresses of the domain name, and play an important role in cyberattacks. In order to improve the performance of the Fast-Flux domain name detection, this paper explores and uses the rich spatial features contained in the domain name resolution process, and proposes a Fast-Flux malicious domain name detection method based on the domain resolution spatial features. In this method, the CNAMEs and IPs in the resolution results obtained by multiple requests are used as nodes to construct the resolution spatial relationship graph (RSRG). Then the NS record of the second-level domain name, Geographical locations and Autonomous System Numbers of the resolved IPs, and WHOIS information of the domain name are further extracted as the node features in the RSRG. Finally, a GCN model with Max Pooling algorithm is used to extract spatial features from RSRG and perform classification. Our method achieves an accuracy of 94.98% and an F1 value of 92.02% on the self-constructed dataset, and the overall performance is significantly better than the current best methods.
Download

Paper Nr:	133
Title:	Group Privacy for Personalized Federated Learning
Authors:	Filippo Galli, Sayan Biswas, Kangsoo Jung, Tommaso Cucinotta and Catuscia Palamidessi
Abstract:	Federated learning (FL) is a particular type of distributed, collaborative machine learning, where participating clients process their data locally, sharing only updates of the training process. Generally, the goal is the privacy-aware optimization of a statistical model’s parameters by minimizing a cost function of a collection of datasets which are stored locally by a set of clients. This process exposes the clients to two issues: leakage of private information and lack of personalization of the model. To mitigate the former, differential privacy and its variants serve as a standard for providing formal privacy guarantees. But often the clients represent very heterogeneous communities and hold data which are very diverse. Therefore, aligned with the recent focus of the FL community to build a framework of personalized models for the users representing their diversity, it is of utmost importance to protect the clients’ sensitive and personal information against potential threats. To address this goal we consider d-privacy, also known as metric privacy, which is a variant of local differential privacy, using a metric-based obfuscation technique that preserves the topological distribution of the original data. To cope with the issues of protecting the privacy of the clients and allowing for personalized model training, we propose a method to provide group privacy guarantees exploiting some key properties of d-privacy which enables personalized models under the framework of FL. We provide theoretical justifications to the applicability and experimental validation on real-world datasets to illustrate the working of the proposed method.
Download

Paper Nr:	143
Title:	SeCloud: Computer-Aided Support for Selecting Security Measures for Cloud Architectures
Authors:	Yuri G. Dantas and Ulrich Schöpp
Abstract:	The adoption of cloud infrastructures requires the deployment of security measures to protect assets against threats (e.g., tampering). Several security measures/technologies are available for securing cloud infrastructures, such as Service Mesh Istio and OpenID Connect. In the current state of practice, the selection of security measures is manually done by an expert (e.g., a security engineer). It becomes challenging for experts to make these selections due to the complexity of cloud infrastructures and the vast number of available security measures and technologies. This article proposes a tool for automating the recommendation of security measures for cloud architectures. Our tool expects as input information both the cloud architecture and assets identified during a threat analysis, and recommends security measures for protecting such assets against threats. We validate our tool in a case study that provides cloud services for unmanned air vehicles (UAVs).
Download

Short Papers

Paper Nr:	17
Title:	An End-to-End Encrypted Cache System with Time-Dependent Access Control
Authors:	Keita Emura and Masato Yoshimi
Abstract:	Due to the increasing use of encrypted communication, such as Transport Layer Security (TLS), encrypted cache systems are a promising approach for providing communication efficiency and privacy. Cache-22 is an encrypted cache system (Emura et al. ISITA 2020) that makes it possible to significantly reduce communication between a cache server and a service provider. In the final procedure of Cache-22, the service provider sends the corresponding decryption key to the user via TLS and this procedure allows the service provider to control which users can access the contents. For example, if a user has downloaded ciphertexts of several episodes of a show, the service provider can decide to provide some of the contents (e.g., the first episode) available for free while requiring a fee for the remaining contents. However, no concrete access control method has been implemented in the original Cache-22 system. In this paper, we add a scalable access control protocol to Cache-22. Specifically, we propose a time-dependent access control that requires a communication cost of O(logTmax) where Tmax is the maximum time period. Although the protocol is stateful, we can provide time-dependent access control with scalability at the expense of this key management. We present experimental results and demonstrate that the modified system is effective for controlling access rights. We also observe a relationship between cache capacity and network traffic because the number of duplicated contents is higher than that in the original Cache-22 system, due to time-dependent access control.
Download

Paper Nr:	23
Title:	Evaluation Scheme to Analyze Keystroke Dynamics Methods
Authors:	Anastasia Dimaratos and Daniela Pöhn
Abstract:	Password authentication is a weak point for security as passwords are easily stolen and a user may ignore the security by using a simple password. Therefore, services increasingly demand a second factor. While this may enhance security, it comes with a lower level of usability and another factor to be forgotten. A smartphone is an important device in daily life. With the growing number of sensors and features in a smartphone, keystroke dynamics may provide an easy-to-use method. In this paper, we introduce requirements for biometric authentication and keystroke dynamics. This results in an evaluation scheme, which is applied to three selected approaches. Based on the comparison, keystroke dynamics and the evaluation scheme are discussed. The obtained results indicate that keystroke dynamics can be used as another authentication method but can be bypassed by stronger adversaries. For further research, a common data set would improve the comparability.
Download

Paper Nr:	24
Title:	Revisiting the DFT Test in the NIST SP 800-22 Randomness Test Suite
Authors:	Hiroki Okada and Kazuhide Fukushima
Abstract:	The National Institute of Standards and Technology (NIST) released SP 800-22, which is a test suite for evaluating pseudorandom number generators for cryptographic applications. The discrete Fourier transform (DFT) test, which is one of the tests in NIST SP 800-22, was constructed to detect some periodic features of input sequences. There was a crucial problem in the construction of the DFT test: its reference distribution of the test statistic was not derived mathematically; instead, it was numerically estimated. Thus, the DFT test was constructed under the assumption that the pseudorandom number generator (PRNG) used for the estimation generated “truly” random numbers, which is a circular reasoning. Recently, Iwasaki (Iwasaki, 2020) performed a novel analysis to theoretically derive the correct reference distribution (without numerical estimation). However, Iwasaki’s analysis relied on some heuristic assumptions. In this paper, we present theoretical evidence for one of the assumptions. Let x0,··· , xn−1 be an n-bit input sequence. Its Fourier coefficients are defined as F0,...,Fn−1. Iwasaki assumed that Σn2 −1j=0\|Fj\|2 = n2/2. We use a quantitative analysis to show that this holds when n is sufficiently large. We also verify that our analysis is sufficiently accurate with numerical experiments.
Download

Paper Nr:	34
Title:	Security Analysis of a Color Image Encryption Scheme Based on Dynamic Substitution and Diffusion Operations
Authors:	George Teşeleanu
Abstract:	In 2019, Essaid et al. proposed an encryption scheme for color images based on chaotic maps. Their solution uses two enhanced chaotic maps to dynamically generate the secret substitution boxes and the key bytes used by the cryptosystem. Note that both types of parameters are dependent on the size of the original image. The authors claim that their proposal provides enough security for transmitting color images over unsecured channels. Unfortunately, this is not the case. In this paper, we introduce two cryptanalytic attacks for Essaid et al.’s encryption scheme. The first one is a chosen plaintext attack, which for a given size, requires 256 chosen plaintexts to allow an attacker to decrypt any image of this size. The second attack is a a chosen ciphertext attack, which compared to the first one, requires 512 chosen ciphertexts to break the scheme for a given size. These attacks are possible because the generated substitution boxes and key bits remain unchanged for different plaintext images.
Download

Paper Nr:	39
Title:	SWaTEval: An Evaluation Framework for Stateful Web Application Testing
Authors:	Anne Borcherding, Nikolay Penkov, Mark Giraud and Jürgen Beyerer
Abstract:	Web applications are an easily accessible and valuable target for attackers. Therefore, web applications need to be examined for vulnerabilities. Modern web applications usually behave in a stateful manner and hence have an underlying state machine that determines their behavior based on the current state. To thoroughly test a web application, it is necessary to consider all aspects of a web application, including its internal states. In a blackbox setting, which we presuppose for this work, however, the internal state machine must be inferred before it can be used for testing. For state machine inference it is necessary to choose a similarity measure for web pages. Some approaches for automated blackbox stateful testing for web applications have already been proposed. It is, however, unclear how these approaches perform in comparison. We therefore present our evaluation framework for stateful web application testing, SWaTEval. In our evaluation, we show that SWaTEval is able to reproduce evaluation results from literature, demonstrating that SWaTEval is suitable for conducting meaningful evaluations. Further, we use SWaTEval to evaluate various approaches to similarity measures for web pages, including a new method based on the euclidean distance that we propose in this paper. These similarity measures are an important part of the automated state machine inference necessary for stateful blackbox testing. We show that the choice of similarity measure has an impact on the performance of the state machine inference regarding the number of correctly identified states, and that our newly proposed similarity measure leads to the highest number of correctly identified states.
Download

Paper Nr:	46
Title:	Privacy-Aware IoT: State-of-the-Art and Challenges
Authors:	Shukun Tokas, Gencer Erdogan and Ketil Stølen
Abstract:	The consumer IoT is now prevalent and creates an enormous amount of fine-grained, detailed information about consumers’ everyday actions, personalities, and preferences. Such detailed information brings new and unique privacy challenges. The consumers are not aware of devices that surround them. There is a lack of transparency and absence of support for consumers to control the collection and processing of their personal and sensitive data. This paper reports on a review of state-of-the-art on privacy protection in IoT, with respect to privacy enhancing technologies (PETs) and GDPR-specific privacy principles. Drawing on a thorough analysis of 36 full papers, we identify key privacy challenges in IoT that need to be addressed to provide consumers with transparency and control over their personal data. The privacy challenges we have identified are (1) the lack of technical expertise in privacy notice comprehension, (2) the lack of transparency and control of personal data, and (3) the lack of personalized privacy recommendations.
Download

Paper Nr:	66
Title:	Evading Detection During Network Reconnaissance
Authors:	Ilias Belalis, Georgios Spathoulas and Ioannis Anagnostopoulos
Abstract:	Network security attacks have seen a significant increase in recent years. A remote attacker needs to understand the topology of the victim network and extract as much information as possible for the hosts of the network. The first step of a network attack is called reconnaissance and aims at gathering such information. In this paper, we analyze the detection of such activity through the use of machine learning classifiers. We identify which are the characteristics of reconnaissance activity that render it detectable and employ a heuristic approach to decide optimal values for such fields that can produce undetectable port scanning traffic. Based on those findings, a covert port scanning tool has been developed and made publicly available. The tool executes the reconnaissance step of an attack in a way that it can evade being detected.
Download

Paper Nr:	81
Title:	Identifying Personal Data Processing for Code Review
Authors:	Feiyang Tang, Bjarte M. Østvold and Magiel Bruntink
Abstract:	Code review is a critical step in the software development life cycle, which assesses and boosts the code’s effectiveness and correctness, pinpoints security issues, and raises its quality by adhering to best practices. Due to the increased need for personal data protection motivated by legislation, code reviewers need to understand where personal data is located in software systems and how it is handled. Although most recent work on code review focuses on security vulnerabilities, privacy-related techniques are not easy for code reviewers to implement, making their inclusion in the code review process challenging. In this paper, we present ongoing work on a new approach to identifying personal data processing, enabling developers and code reviewers in drafting privacy analyses and complying with regulations such as the General Data Protection Regulation (GDPR).
Download

Paper Nr:	106
Title:	Improving Unlinkability in C-ITS: A Methodology For Optimal Obfuscation
Authors:	Yevhen Zolotavkin, Yurii Baryshev, Vitalii Lukichov, Jannik Mähn and Stefan Köpsell
Abstract:	In this paper, we develop a new methodology to provide high assurance about privacy in Cooperative Intelligent Transport Systems (C-ITS). Our focus lies on vehicle-to-everything (V2X) communications enabled by Cooperative Awareness Basic Service. Our research motivation is developed based on the analysis of unlinkability provision methods indicating a lack of such methods. To address this, we propose a Hidden Markov Model (HMM) to express unlinkability for the situation where two vehicles are communicating with a Roadside Unit (RSU) using Cooperative Awareness Messages (CAMs). Our HMM has labeled states specifying distinct origins of the CAMs observable by a passive attacker. We then establish that high assurance about the degree of uncertainty (e.g., entropy) about labeled states can be obtained for the attacker under the assumption that he knows actual positions of the vehicles (e.g., hidden states in HMM). We further demonstrate how unlinkability can be increased in C-ITS: we propose a joint probability distribution that both drivers must use to obfuscate their actual data jointly. This obfuscated data is then encapsulated in their CAMs. Finally, our findings are incorporated into an obfuscation algorithm whose complexity is linear in the number of discrete time steps in the HMM.
Download

Paper Nr:	120
Title:	Towards Security Attack Event Monitoring for Cyber Physical-Systems
Authors:	Elias Seid, Oliver Popov and Fredrik Blix
Abstract:	In today’s software systems, security is one of the a major issues that need to be considered when designing Cyber Physical-Systems(CPS). CPS are engineered systems built from, and depend upon, the seamless integration of computational algorithms and physical components. Security breaches are on the rise, and CPS are challenged by a catastrophic damage which resulted in billions of losses. Security solutions to the Cyber Physical-Systems that we have are likely to become obsolete. Even though security agents issue new sets of vulnerability indicators and patches to address the security breach, these vulnerability indicators change over time, which is a perpetual process. We argue that any security solution for the Cyber Physical-Systems should be adaptive, based on the type of attacks and their frequency. The security solution should monitor its environment continuously to defend itself from a cyber-attack by modifying its defensive mechanism. We propose a framework for modelling, analyzing and monitoring security attacks (events) in the social, cyber and physical infrastructure realms of CPS. The framework is evaluated by using security attack scenarios taken from a recognized security knowledge repository.
Download

Paper Nr:	138
Title:	Assessing the Impact of Attacks on Connected and Autonomous Vehicles in Vehicular Ad Hoc Networks
Authors:	Kaushik K. Balaji, Dimah Almani and Steven Furnell
Abstract:	The transportation sector is evolving rapidly towards more sustainable and safer solutions with the idea of Connected and Autonomous Vehicles (CAVs) based upon Vehicular Ad-hoc Network technology. The biggest challenge for CAVs is the security threats due to their open nature and internet connections, opening a wide range of vulnerabilities. In this research, the impact of four cyber security attacks (Distributed Denial of Service (DDoS), Man-in-the-Middle (MITM), Blackhole and Grayhole) is quantified in terms of network and transportation performance metrics. The map is setup based on a busy urban area in a UK city, and a combination of OMNeT++, Sumo and Veins software tools are used for modelling and simulating the attacks on the network. The simulation is performed with and without the attacks for an accident scenario. MITM is found to have maximum impact severity on the transportation operational efficiency and safety of the CAV network. The dynamic rerouting algorithm of the network is identified as the most vulnerable attack vector, experiencing maximum impact from all the attacks. A maximum packet loss of 82% is achieved by a DDoS attack. These insights showcased the importance of analysing the impacts of security attacks on the transportation efficiency of the CAV network, which is vital for building reliable and safer next-generation mobility systems.
Download

Paper Nr:	140
Title:	Differential Privacy: Toward a Better Tuning of the Privacy Budget (ε) Based on Risk
Authors:	Mahboobeh Dorafshanian and Mohamed Mejri
Abstract:	Companies have key concerns about privacy issues when dealing with big data. Many studies show that privacy preservation models such as Anonymization, k-Anonymity, l-Diversity, and t-Closeness failed in many cases. Differential Privacy techniques can address these issues by adding a random value (noise) to the query result or databases rather than releasing raw data. Measuring the value of this noise (ε) is a controversial topic that is difficult for managers to understand. To the best of our knowledge, a small number of works calculate the value of ε. To this end, this paper provides an upper bound for the privacy budget ε based on a given risk threshold when the Laplace noise is used. The risk is defined as the probability of leaking private information multiplied by the impact of this disclosure. Estimating the impact is a great challenge as well as measuring the privacy budget. This paper shows how databases like UT CID ITAP could be very useful to estimate these kinds of impacts.
Download

Paper Nr:	5
Title:	Efficient Aggregation of Face Embeddings for Decentralized Face Recognition Deployments
Authors:	Philipp Hofer, Michael Roland, Philipp Schwarz and René Mayrhofer
Abstract:	Ubiquitous authentication systems with a focus on privacy favor decentralized approaches as they reduce potential attack vectors, both on a technical and organizational level. The gold standard is to let the user be in control of where their own data is stored, which consequently leads to a high variety of devices used what in turn often incurs additional network overhead. Therefore, when using face recognition, an efficient way to compare faces is important in practical deployments. This paper proposes an efficient way to aggregate embeddings used for face recognition based on an extensive analysis on different datasets and the use of different aggregation strategies. As part of this analysis, a new dataset has been collected, which is available for research purposes. Our proposed method supports the construction of massively scalable, decentralized face recognition systems with a focus on both privacy and long-term usability.
Download

Paper Nr:	18
Title:	Concrete Quantum Circuits to Prepare Generalized Dicke States on a Quantum Machine
Authors:	Shintaro Narisada, Shohei Beppu, Kazuhide Fukushima and Shinsaku Kiyomoto
Abstract:	A Dicke state is a superposition of n-qubit with Hamming weight k, denoted by D^n_k. Dicke states are frequently employed to prepare input superpositions for quantum search algorithms (e.g., Grover search and quantum walks) that solve combinatorial problems with a certain number (n k) of candidate solutions. Bärtschi and Eidenbenz propose a concrete quantum circuit to construct the Dicke state D^n_k with polynomial quantum gates, and they generalize the circuit in terms of Hamming weight k to prepare a superposition of Dicke states. Subsequently, Esser et al. present another quantum circuit to generate the Dicke state D^n_k with polynomial gates and a few auxiliary quantum bits. In this paper, we generalize Esser’s state preparation circuit to construct a superposition of Dicke states. We conduct a concrete comparison with two generalized Dicke state preparation circuits. We perform noisy simulations and experiments using real quantum machines from the IBM quantum experience service (IBMQ). Both circuits successfully construct the generalized Dicke state superposition using a noisy intermediate-scale quantum (NISQ) device, albeit somewhat affected by noise.
Download

Paper Nr:	35
Title:	Measurements of Cross-Border Quantum Key Distribution Link
Authors:	Filip Lauterbach, Libor Michalek, Piotr Rydlichowski, Patrik Burdiak, Jaroslav Zdralek and Miroslav Voznak
Abstract:	The paper presents measurements of a Quantum Key Distribution system operating on a cross-border QKD link between Ostrava (CZ) and Cieszyn (PL). The system is part of the Horizon OpenQKD project. The study attempted to determine the maximum attenuation where the QKD system was still functional and also any correlation between the crucial parameters of the quantum bit error rate (QBER), secret key rate (SKR) and link attenuation (dB). Providing a statistical analysis of the measured data, the paper expands our understanding of the behaviour of the QKD link as it approaches its technological limits.
Download

Paper Nr:	38
Title:	Evaluating the Fork-Awareness of Coverage-Guided Fuzzers
Authors:	Marcello Maugeri, Cristian Daniele, Giampaolo Bella and Erik Poll
Abstract:	Fuzz testing (or fuzzing) is an effective technique used to find security vulnerabilities. It consists of feeding a software under test with malformed inputs, waiting for a weird system behaviour (often a crash of the system). Over the years, different approaches have been developed, and among the most popular lies the coverage-based one. It relies on the instrumentation of the system to generate inputs able to cover as much code as possible. The success of this approach is also due to its usability as fuzzing techniques research approaches that do not require (or only partial require) human interactions. Despite the efforts, devising a fully-automated fuzzer still seems to be a challenging task. Target systems may be very complex; they may integrate cryptographic primitives, compute and verify check-sums and employ forks to enhance the system security, achieve better performances or manage different connections at the same time. This paper introduces the fork-awareness property to express the fuzzer ability to manage systems using forks. This property is leveraged to evaluate 14 of the most widely coverage-guided fuzzers and highlight how current fuzzers are ineffective against systems using forks.
Download

Paper Nr:	47
Title:	On the Feasibility of Fully Homomorphic Encryption of Minutiae-Based Fingerprint Representations
Authors:	Pia Bauspieß, Lasse Vad, Håvard Myrekrok, Anamaria Costache, Jascha Kolberg, Christian Rathgeb and Christoph Busch
Abstract:	Protecting minutiae-based fingerprint templates with fully homomorphic encryption has recently been recognised as a hard problem. In this work, we evaluate state-of-the-art fingerprint recognition based on minutiae templates using post-quantum secure fully homomorphic encryption that operates directly on floating point numbers, such that no simplification or quantisation of the comparison algorithm is necessary. In a practical evaluation on a publicly available dataset, we run a benchmark and provide directions for future work.
Download

Paper Nr:	51
Title:	Query Log Analysis for SQL Injection Detection
Authors:	Alexandra Rocha, Rui Alves and Tiago Pedrosa
Abstract:	Nowadays, more and more services are dependent on the use of resources hosted on the web. The realization of operations such as access to the account bank, credit card operations, among other operations, is something increasingly common in current times, demonstrating not only human dependence on the internet connection, as well as the need to adapt the web resources to the daily life of society. As a result of this growing dependency, web resources now provide a greater amount of confidential information, making the risk of a cyberattack and information leaking grow considerably. In the web context, one of the most well-known attacks is SQL injection that allows the attacker to exploit, through the injection of malicious queries, access to confidential information. This paper suggests a solution for the detection of SQL injection via web resources, using the analysis of the logs of the executed queries.
Download

Paper Nr:	53
Title:	SCANTRAP: Protecting Content Management Systems from Vulnerability Scanners with Cyber Deception and Obfuscation
Authors:	Daniel Reti, Karina Elzer and Hans D. Schotten
Abstract:	Every attack begins with gathering information about the target. The entry point for network breaches are often vulnerabilities in internet facing websites, which often rely on an off-the-shelf Content Management System (CMS). Bot networks and human attackers alike rely on automated scanners to gather information about the CMS software installed and potential vulnerabilities. To increase the security of websites using a CMS, it is desirable to make the use of CMS scanners less reliable. The aim of this work is to extend the current knowledge about cyber deception in regard to CMS. To demonstrate this, a WordPress Plugin called ’SCANTRAP’ was created, which uses simulation and dissimulation in regards to plugins, themes, versions, and users. We found that the resulting plugin is capable of obfuscating real information and to a certain extent inject false information to the output of one of the most popular WordPress scanners, WPScan, without limiting the legitimate functionality of the WordPress installation.
Download

Paper Nr:	83
Title:	Design Rationale for Symbiotically Secure Key Management Systems in IoT and Beyond
Authors:	Witali Bartsch, Prosanta Gope, Elif B. Kavun, Owen Millwood, Andriy Panchenko, Aryan M. Pasikhani and Ilia Polian
Abstract:	The overwhelmingly widespread use of Internet of Things (IoT) in different application domains brought not only benefits, but, alas, security concerns as a result of the increased attack surface and vectors. One of the most critical mechanisms in IoT infrastructure is key management. This paper reflects on the problems and challenges of existing key management systems, starting with the discussion of a recent real-world attack. We identify and elaborate on the drawbacks of security primitives based purely on physical variations and – after highlighting the problems of such systems – continue on to deduce an effective and cost-efficient key management solution for IoT systems extending the symbiotic security approach in a previous work. The symbiotic architecture combines software, firmware, and hardware resources for secure IoT while avoiding the traditional scheme of static key storage and generating entropy for key material on-the-fly via a combination of a Physical Unclonable Function (PUF) and pseudo-random bits pre-populated in firmware.
Download

Paper Nr:	108
Title:	P2BAC: Privacy Policy Based Access Control Using P-LPL
Authors:	Jens Leicht and Maritta Heisel
Abstract:	Privacy policies are used to inform end-users about the processing of their personal data by service providers on the Internet. These policies are, however, not systematically enforced. There could be discrepancies between the policy provided to the end-users and the actual access control policies applied by the service provider. We propose the Privacy Policy Based Access Control (P2BAC) system to tackle this issue. P2BAC uses computer-processable privacy policies expressed in the Prolog-Layered Privacy Language (P-LPL) to make decisions on whether some data may be accessed for a specific purpose. With P2BAC we extend the Privacy Policy Compliance Guidance (PriPoCoG) framework. Since P-LPL privacy policies can be customized by the end-user, we can consider end-users’ privacy preferences during access control. P2BAC uses query rewriting to perform the access control. The decision point is implemented in Prolog and directly operates on the P-LPL privacy policy.
Download

Paper Nr:	118
Title:	RPCDroid: Runtime Identification of Permission Usage Contexts in Android Applications
Authors:	Michele Guerra, Roberto Milanese, Rocco Oliveto and Fausto Fasano
Abstract:	Over the years, there has been an explosion in the app market offering users a wide range of functionalities especially since modern devices are equipped with many hardware resources such as cameras, GPS, and so on. Unfortunately, this is sometimes associated to indiscriminate access to sensitive data. This exposes users to security and privacy risks because, although resource usage requires explicit user authorization, once permission is granted, a mobile application is usually free to access the corresponding resource until the permission is expressly revoked or the app is uninstalled. In this work, we introduce RPCDroid, a dynamic analysis tool for run-time tracking of the behavior (UI events and used permissions) of Android mobile applications that use device resources requiring dangerous permissions. We assessed the effectiveness of the tool to identify usage contexts, discriminating between different kinds of access to the same sensitive resource. We executed RPCDroid on a set of popular applications obtaining evidence that, in many cases, mobile applications access to the same resource though different user interactions.
Download

Area 3 - Applications and Services

Full Papers

Paper Nr:	26
Title:	Veto: Prohibit Outdated Edge System Software from Booting
Authors:	Jonas Röckl, Adam Wagenhäuser and Tilo Müller
Abstract:	Edge computing emerges as a trend, forming a link between the Internet of Things and cloud-based services. Large-scale edge deployments are already in place today in the context of communication network providers that offload more and more tasks to the edge to ensure high flexibility and low latencies. By relying on remote attestation and disk encryption techniques, we design a novel system architecture that protects confidential data on edge nodes in the case of device theft. Recent vulnerabilities like Ripple20 and Amnesia:33 show the consequences and costs of critical security bugs stemming from outdated system software. Thus, we design our system in a way that a node can derive its decryption key if and only if a trusted remote party (e.g., a network operator) can verify that it is running the latest software. This is a security feature that prevalent implementations like Linux’s dm-crypt lack. To secure the early-boot communication, we rely on a trusted execution environment, hardware offloading, and Rust device drivers. We prototype our system on two recent ARMv8 devices and show that the performance overhead (≈ 2%) and the boot delay (1s) are low. Thus, we believe that our concept is a meaningful step towards more secure future edge devices.
Download

Paper Nr:	42
Title:	Automating XSS Vulnerability Testing Using Reinforcement Learning
Authors:	Kento Hasegawa, Seira Hidano and Kazuhide Fukushima
Abstract:	Cross-site scripting (XSS) is a frequently exploited vulnerability in web applications. Existing XSS testing tools utilize a brute-force or heuristic approach to discover vulnerabilities, which increases the testing time and load of the target system. Reinforcement learning (RL) is expected to decrease the burden on humans and enhance the efficiency of the testing task. This paper proposes a method to automate XSS vulnerability testing using RL. RL is employed to obtain an efficient policy to compose test strings for XSS vulnerabilities. Based on an observed state, an agent composes a test string that exploits an XSS vulnerability and passes the string to a target web page. A training environment XSS Gym is developed to provide a variety of XSS vulnerabilities during training. The proposed method significantly decreases the number of requests to the target web page during the testing process by acquiring an efficient policy with RL. Experimental results demonstrate that the proposed method effectively discovers XSS vulnerabilities with the fewest requests compared to the existing open-source tools.
Download

Paper Nr:	45
Title:	An Efficient Unified Architecture for Polynomial Multiplications in Lattice-Based Cryptoschemes
Authors:	Francesco Antognazza, Alessandro Barenghi, Gerardo Pelosi and Ruggero Susella
Abstract:	The significant effort in the research and design of large-scale quantum computers has spurred a transition to post-quantum cryptographic primitives worldwide. The post-quantum cryptographic primitive standardization effort led by the US NIST has recently selected the asymmetric encryption primitive Kyber as its candidate for standardization. It has also indicated NTRU, another lattice-based primitive, as a valid alternative if intellectual property issues are not solved. Finally, a more conservative alternative to NTRU, NTRUPrime was also considered as an alternate candidate, due to its design choices which remove the possibility for a large set of attacks preemptively. All the aforementioned asymmetric primitives provide good performances, and are prime choices provide IoT devices with post-quantum confidentiality services. In this work, we propose a unified design for a hardware accelerator able to speed up the computation of polynomial multiplications, the workhorse operation in all of the aforementioned cryptosystems, managing the differences in the polynomial rings of the cryptosystems. Our design is also able to outperform the state of the art designs tailored specifically for NTRU, and provide latencies similar to the symmetric cryptographic elements required by the scheme for Kyber and NTRUPrime.
Download

Paper Nr:	58
Title:	A Systematic Review of Secure IoT Data Sharing
Authors:	Thanh T. Tran, Phu H. Nguyen and Gencer Erdogan
Abstract:	The Internet of Things (IoT) is more and more omnipresent. The greater values of the IoT can be realized by enabling data sharing between different stakeholders. However, one of the biggest challenges is ensuring security and enabling trust for IoT data sharing. In this paper, we identify state-of-the-art (SotA) approaches and techniques for secure IoT data sharing. We present high-level results emphasizing the SotA trend and revealing the most addressed domains, as well as more in-depth details such as procedures and methods used to preserve security in the data sharing environment. The blockchain technology, smart contracts, and InterPlanetary File System (IPFS) are among the most widely used approaches. As today’s solutions explore a more decentralized approach to data sharing, there are several aspects to consider. Based on the findings, we have identified potential research directions for future work, including the differences between public and private blockchains, the combination of sharing and analytic, the value of data quality, and the importance of data management and governance.
Download

Paper Nr:	88
Title:	XMeDNN: An Explainable Deep Neural Network System for Intrusion Detection in Internet of Medical Things
Authors:	Mohammed M. Alani, Atefeh Mashatan and Ali Miri
Abstract:	The rapid growth in the adoption of Internet of Things in various areas of our daily lives makes it an interesting target to malicious actors. One area that is witnessing accelerating growth in smart device adoption is health and medical services. The growth in Internet of Medical Things is triggering increased interest in privacy, confidentiality, and intrusion detection. In this paper, we present a deep neural network designed to detect attacks on Internet-of-Things devices in medical settings. The proposed system was tested using WUSTL-EHMS-2020 dataset. Tests showed that the proposed deep learning system can deliver excellent performance with accuracy 97.578%, and a false-positive rate of 3.12%.
Download

Short Papers

Paper Nr:	9
Title:	Evaluation of DoS/DDoS Attack Detection with ML Techniques on CIC-IDS2017 Dataset
Authors:	Saida Farhat, Manel Abdelkader, Amel Meddeb-Makhlouf and Faouzi Zarai
Abstract:	Cloud computing is one of today’s most promising technologies. It provides its users with simplified IT infrastructure and management, remote access from effectively anywhere in the world with a stable internet connection, and cost efficiencies. Despite all these benefits, the cloud comes with some limitations and disadvantages regarding security. Denial-of-service attacks (DoS/DDoS) are one of the major security challenges in emerging cloud computing environments. In this paper, the main objective is to propose a DoS/DDoS attack detection system for Cloud environments using the most popular CICIDS2017 benchmark dataset and applying multiple Machine Learning (ML) techniques by considering both the Wednesday and Friday afternoon traffic log files. The implementation results of our model based on the eXtreme Gradient Boosting (XGBoost) algorithm demonstrate its ability to detect intrusions with a detection accuracy of 99.11% and a false alarm rate of about 0.011%.
Download

Paper Nr:	43
Title:	TTP-Aided Searchable Encryption of Documents Using Threshold Secret Sharing
Authors:	Ahmad M. Kamal and Keiichi Iwamura
Abstract:	In recent years, the introduction of services such as storage-as-a-service has enabled users to outsource their data to cloud servers to mitigate the cost of physical storage infrastructure. Moreover, cloud storage allows users to access data anywhere. However, outsourcing sensitive data to cloud servers also introduces concerns regarding data leakage and privacy. Therefore, these data must be encrypted before storage. Searchable encryption (SE) is a method that allows data to be searched in its encrypted state. SE uses symmetric key encryption, public key encryption, or secret sharing. SE using symmetric and public key encryptions can be implemented using one cloud server. However, most SEs utilize the search index for efficiency, which incurs the additional cost of constantly updating the search index. SE using secret sharing is computationally light. Therefore, a direct search over ciphertext is possible without sacrificing the efficiency. However, it requires multiple, independently managed cloud servers. In this study, by effectively using a trusted third party, we demonstrate that realizing an SE with a single cloud server is possible, even if secret sharing is used, thereby reducing the total running cost and communications required. Moreover, we demonstrate that the proposed method is secure against a semi-honest adversary.
Download

Paper Nr:	73
Title:	Cloud Inspector: A Tool-Based Approach for Public Administrations to Establish Information Security Processes Towards Public Clouds
Authors:	Michael Diener and Thomas Bolz
Abstract:	Digitization is on the rise in Europe’s public administrations. Since the Covid-19 pandemic began, public cloud services have become essential in this domain. However, there are still security concerns about the usage of external cloud resources in business processes of public authorities, although numerous technical concepts for improving security are already available. In this paper, we focus on internal processes of information security management systems (ISMS) in public administrations. We identified potential challenges such as a lack of knowledge about cloud security and unclear roles and responsibilities when using ISMS tools in this application domain. As a possible solution, we present a tool-based approach that is based on an easyto-use online questionnaire, which can be automatically evaluated based on predefined sentiments. With this approach, we can provide the required visibility into the status quo of public cloud security while integrating various stakeholders within public administrations into a holistic ISMS process.
Download

Paper Nr:	80
Title:	Security Aspects of Digital Twins in IoT
Authors:	Vitomir Pavlov, Florian Hahn and Mohammed El-Hajj
Abstract:	The number of Internet-connected devices are expected to reach almost 30 billion by 2030, and already today the Internet of Things (IoT) technologies is a part of everyday life in sectors like public health, smart cars, smart grids, smart cities, smart manufacturing and smart homes. An even tighter integration between IoT technology and physical objects within these sectors has been made possible by the Digital Twin (DT) technology providing better abilities for real-time monitoring, data-driven modeling and process optimization. One integral aspect of this approach is the connection between IoT end-devices and their corresponding digital twins for real-time data communication. Depending on the envisioned scenario, the involved data and derived processes affect the safety of human lives, hence an authentic connection is of major importance. At the same time, IoT devices have restrictions on the available power sources and provided computing resources. In this work we report on our experiments with the Azure IoT Hub, the commercial platform that supports digital twins offered by Microsoft. First, we set up a real-time connection between the cloud platform and two different IoT devices and explore how an authentic connection is established between IoT devices and their corresponding DTs. Based on a test bed consisting of widely used IoT devices we analyse the power consumption and execution time of the offered authentication mechanisms that are based on general symmetric or asymmetric encryption. While the authentication time for a Raspberry Pi is below 0.5 seconds, the same task took above 4.5 seconds for an Arduino, highlighting the importance of lightweight authentication mechanisms for real-time communication between IoT devices and DT platforms.
Download

Paper Nr:	82
Title:	Online Transition-Based Feature Generation for Anomaly Detection in Concurrent Data Streams
Authors:	Yinzheng Zhong and Alexei Lisitsa
Abstract:	In this paper, we introduce the transition-based feature generator (TFGen) technique, which reads general activity data with attributes and generates step-by-step generated data. The activity data may consist of network activity from packets, system calls from processes or classified activity from surveillance cameras. TFGen processes data online and will generate data with encoded historical data for each incoming activity with high computational efficiency. The input activities may concurrently originate from distinct traces or channels. The technique aims to address issues such as domain-independent applicability, the ability to discover global process structures, the encoding of time-series data, and online processing capability.
Download

Paper Nr:	101
Title:	Comparing the Effect of Privacy and Non-Privacy Social Media Photo Tools on Factors of Privacy Concern
Authors:	Vanessa Bracamonte, Sebastian Pape and Sascha Loebner
Abstract:	Research into privacy tools for social media content has found that although there is a positive attitude towards these tools, there are also privacy concerns related to the user information involved. This privacy concern towards privacy tools can be higher than for non-privacy tools of a similar type, but the reason for this difference is not clear. To address this, we conducted an online experiment to compare the effect of a privacy and a non-privacy tool on antecedent factors of privacy concern (Perceived value of personal information, Social presence, Affect and Trust) which are hypothesized to be affected by the different purpose of the tools. The results show that participants had higher affect towards the privacy tool compared to the non-privacy tool. On the other hand, the results also show that participants in the privacy tool group had a higher level of perception of value of their personal information, that is, that the information provided to and inferred by the tool is valuable. Finally, both factors mediated a significant but opposing effect of the type of tool on privacy concern.
Download

Paper Nr:	110
Title:	Secure Software Updates for IoT Based on Industry Requirements
Authors:	Ludwig Seitz, Marco Tiloca, Martin Gunnarsson and Rikard Höglund
Abstract:	This paper analyzes the problem and requirements of securely distributing software updates over the Internet, to devices in an Industrial Control System (ICS) and more generally in Internet of Things (IoT) infrastructures controlling a physical system, such as power grids and water supply systems. We present a novel approach that allows to securely distribute software updates of different types, e.g., device firmware and customer applications, and from sources of different type, e.g., device operators, device manufacturers and third-party library providers. Unlike previous works on this topic, our approach keeps the device operator in control of the update process, while ensuring both authenticity and confidentiality of the distributed software updates.
Download

Paper Nr:	21
Title:	CHARRA-PM: An Attestation Approach Relying on the Passport Model
Authors:	Antonio Marques and Bruno Sousa
Abstract:	Attestation is a mechanism that is employed to verify the authenticity and integrity of the other(s) part(s), i.e., in hardware and/or software of a device. The remote attestation is the activity of verifying the authenticity and integrity of a target that provides evidence to a verifier over a network that should be accepted or denied as a result of this process. Classic authorization relies in the information provided by a device and gives permission for a specific operation. The attestation adds a new a layer of information, not only we need to know who the device is, but we also need to know if it is in good standing (i.e. performing according to its design) before authorization. This paper proposes the use of the Passport model, using the Challenge/Response development based on the architecture described by the IETF working group RATS - Remote Attestation Procedures Architecture. The elaborated Proof-of-Concept is designed and evaluated using docker containers and TPM software simulation.
Download

Paper Nr:	27
Title:	SHOID: A Secure Herd of IoT Devices Firmware Update Protocol
Authors:	Frédéric Ruellé, Quentin Guellaën and Arnaud Rosay
Abstract:	The Internet Of Things (IoT) movement puts more and more objects on the field, which raises critical problems related to device management and security, especially for resource-constrained nodes. In this paper, we propose a method for the devices to create self-organized groups autonomously. We demonstrate how we can leverage this group concept to improve the robustness of a key device management procedure: the over-the-air firmware update. Experiments have been conducted with micro-controller based objects addressing a typical smart sensor use-case. Finally, ways of improvements arise and further study items are identified.
Download

Paper Nr:	69
Title:	Temporal Constraints in Online Dating Fraud Classification
Authors:	Harrison Bullock and Matthew Edwards
Abstract:	A number of automated systems attempt to combat online fraud through the application of classifiers created using machine learning techniques. However, online fraud is a moving target, and cybercriminals alter their strategies over time, causing a gradual decay in the effectiveness of classifiers designed to detect them. In this paper, we demonstrate the existence of this concept drift in an online dating fraud classification problem. Working with a dataset of real and fraudulent dating site profiles spread over 6 years, we measure the extent to which dating fraud classification performance may be expected to decay, finding substantial decay in classifier F1 over time, amounting to a decrease of more than 0.2 F1 by the end of our evaluation period. We also evaluate strategies for keeping fraud classification performance robust over time, suggesting mitigations that may be deployed in practice.
Download

Paper Nr:	90
Title:	Towards Long-Term Continuous Tracing of Internet-Wide Scanning Campaigns Based on Darknet Analysis
Authors:	Chansu Han, Akira Tanaka, Jun’ichi Takeuchi, Takeshi Takahashi, Tomohiro Morikawa and Tsung-Nan Lin
Abstract:	The darknet is an unused IP address space that can be an effective resource for observing and analyzing global indiscriminate scanning attacks. Scanning traffic on the darknet has expanded dramatically in recent years and numerous constant scans for investigative purposes have been observed. This is problematic because the investigative scans identified by naive rules account for about 60% of the total observed traffic. In earlier work, we detected malware-caused indiscriminate scanning for attack purposes from darknet data by means of anomaly detection methods, but the large amount of activity from investigation-purpose indiscriminate scans led to false positives. We have therefore developed a new method for tracing scanning campaigns. By distinguishing whether the campaign being traced is for attack or investigation purposes, we aim to reduce the number of false positives and improve anomaly detection accuracy. We also intend to clarify the actual state of constant scanner groups by tracing them. In this work, we describe the proposed method, implement a prototype, and conduct experiments on real darknet data to investigate the feasibility of tracing scanning campaigns.
Download

Paper Nr:	94
Title:	Vehicle Data Collection: A Privacy Policy Analysis and Comparison
Authors:	Chiara Bodei, Gianpiero Costantino, Marco De Vincenzi, Ilaria Matteucci and Anna Monreale
Abstract:	In recent years, data can be considered the new fuel for road vehicle functionalities like driver-assistance systems or customized services. Therefore, the carmakers with their phone apps, synced with the infotainment system, can collect information from the drivers and vehicles to be processed inside or outside the car. In this context, we analyze different carmakers’ privacy policies to define their readability and compliance with the EU General Data Protection Regulation, and provide analysis of carmakers’ data collection. Besides, for the first time, we compare the most significant privacy regulations in automotive. Finally, we create an interactive dashboard to compare the different carmakers’ policies and provide users with an efficient instrument to understand some relevant privacy aspects like which data the carmakers declare to collect. We find that carmakers could collect a large number of users and vehicle data, but, in some cases, the privacy policies seem to be quite challenging to read and do not provide some information like how collected data are protected or stored.
Download

Paper Nr:	100
Title:	Vulnerabilities in IoT Devices, Backends, Applications, and Components
Authors:	Rauli Kaksonen, Kimmo Halunen and Juha Röning
Abstract:	The Internet of Things (IoT) is the ecosystem of networked devices encountered in both work and home. IoT security is a great concern and vulnerabilities are reported daily. IoT is mixed into other digital infrastructure both in terms of sharing the same networks and using the same software components. In this paper, we analyze Common Vulnerabilities and Exposures (CVE) entries, including known exploited vulnerabilities, to describe the vulnerabilities in the IoT context. The results indicate that 88% of reported vulnerabilities are relevant to IoT systems. Half of the vulnerabilities are in the backend or frontend systems while 10-20% concern the IoT devices. HTTP servers are the vulnerability hotspots wherever they are located. Software components are used in all IoT subsystems and tracking and updating them is essential for system security. The results can be used to understand where and what kind of vulnerabilities are in IoT systems.
Download

Paper Nr:	135
Title:	Forecasting Cyber-Attacks to Destination Ports Using Machine Learning
Authors:	Kostas Loumponias, Sotiris Raptis, Eleni Darra, Theodora Tsikrika, Stefanos Vrochidis and Ioannis Kompatsiaris
Abstract:	To anticipate and counter cyber-attacks that may threaten the stability of the economy, society, and governments around the world, significant efforts have made particularly towards the detection of cyber-attacks, while fewer studies have focused on their forecasting. This paper proposes a framework that provides forecasts of upcoming (within the next minute) cyber-attacks, as well as their type, to a specific destination port. To this end, several machine learning-based methods are applied on measurements (observations) obtained from the network traffic flow. The proposed method is supported by two major pillars: first, the selection of appropriate features generated by the network traffic and, second, in addition to the selected features, the detection of the type of cyber-attacks that occurred in the past. The proposed framework is evaluated on the CIC-IDS2017 synthetic dataset and provides a robust performance in forecasting the type of upcoming cyber-attack in terms of Accuracy, Precision, Recall, F1-score and confusion matrix.
Download