样式: 排序: IF: - GO 导出 标记为已读
-
MRAAC: A Multi-stage Risk-aware Adaptive Authentication and Access Control Framework for Android ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2024-04-08 Jiayi Chen, Urs Hengartner, Hassan Khan
Adaptive authentication enables smartphones and enterprise apps to decide when and how to authenticate users based on contextual and behavioral factors. In practice, a system may employ multiple policies to adapt its authentication mechanisms and access controls to various scenarios. However, existing approaches suffer from contradictory or insecure adaptations, which may enable attackers to bypass
-
CySecBERT: A Domain-Adapted Language Model for the Cybersecurity Domain ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2024-04-08 Markus Bayer, Philipp Kuehn, Ramin Shanehsaz, Christian Reuter
The field of cysec is evolving fast. Security professionals are in need of intelligence on past, current and —ideally — upcoming threats, because attacks are becoming more advanced and are increasingly targeting larger and more complex systems. Since the processing and analysis of such large amounts of information cannot be addressed manually, cysec experts rely on machine learning techniques. In the
-
A Decentralized Private Data Marketplace using Blockchain and Secure Multi-Party Computation ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2024-03-16 Julen Bernabé-Rodríguez, Albert Garreta, Oscar Lage
Big data has proven to be a very useful tool for companies and users, but companies with larger datasets have ended being more competitive than the others thanks to machine learning or artificial inteligence. Secure multi-party computation (SMPC) allows the smaller companies to jointly train arbitrary models on their private data while assuring privacy, and thus gives data owners the ability to perform
-
Is Bitcoin Future as Secure as We Think? Analysis of Bitcoin Vulnerability to Bribery Attacks Launched through Large Transactions ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2024-03-14 Ghader Ebrahimpour, Mohammad Sayad Haghighi
Bitcoin uses blockchain technology to maintain transactions order and provides probabilistic guarantees to prevent double-spending, assuming that an attacker’s computational power does not exceed 50% of the network power. In this article, we design a novel bribery attack and show that this guarantee can be hugely undermined. Miners are assumed to be rational in this setup, and they are given incentives
-
AdverSPAM: Adversarial SPam Account Manipulation in Online Social Networks ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2024-03-14 Federico Concone, Salvatore Gaglio, Andrea Giammanco, Giuseppe Lo Re, Marco Morana
In recent years, the widespread adoption of Machine Learning (ML) at the core of complex IT systems has driven researchers to investigate the security and reliability of ML techniques. A very specific kind of threats concerns the adversary mechanisms through which an attacker could induce a classification algorithm to provide the desired output. Such strategies, known as Adversarial Machine Learning
-
Combining Cyber Security Intelligence to Refine Automotive Cyber Threats ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2024-03-14 Florian Sommer, Mona Gierl, Reiner Kriesten, Frank Kargl, Eric Sax
Modern vehicles increasingly rely on electronics, software, and communication technologies (cyber space) to perform their driving task. Over-The-Air (OTA) connectivity further extends the cyber space by creating remote access entry points. Accordingly, the vehicle is exposed to security attacks that are able to impact road safety. A profound understanding of security attacks, vulnerabilities, and mitigations
-
Uncovering CWE-CVE-CPE Relations with Threat Knowledge Graphs ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2024-02-05 Zhenpeng Shi, Nikolay Matyunin, Kalman Graffi, David Starobinski
Security assessment relies on public information about products, vulnerabilities, and weaknesses. So far, databases in these categories have rarely been analyzed in combination. Yet, doing so could help predict unreported vulnerabilities and identify common threat patterns. In this article, we propose a methodology for producing and optimizing a knowledge graph that aggregates knowledge from common
-
Non-intrusive Balance Tomography Using Reinforcement Learning in the Lightning Network ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2024-02-06 Yan Qiao, Kui Wu, Majid Khabbazian
The Lightning Network (LN) is a second layer system for solving the scalability problem of Bitcoin transactions. In the current implementation of LN, channel capacity (i.e., the sum of individual balances held in the channel) is public information, while individual balances are kept secret for privacy concerns. Attackers may discover a particular balance of a channel by sending multiple fake payments
-
Sphinx-in-the-Head: Group Signatures from Symmetric Primitives ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2024-02-05 Liqun Chen, Changyu Dong, Christopher J. P. Newton, Yalan Wang
Group signatures and their variants have been widely used in privacy-sensitive scenarios such as anonymous authentication and attestation. In this paper, we present a new post-quantum group signature scheme from symmetric primitives. Using only symmetric primitives makes the scheme less prone to unknown attacks than basing the design on newly proposed hard problems whose security is less well-understood
-
DEEPFAKER: A Unified Evaluation Platform for Facial Deepfake and Detection Models ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2024-02-05 Li Wang, Xiangtao Meng, Dan Li, Xuhong Zhang, Shouling Ji, Shanqing Guo
Deepfake data contains realistically manipulated faces—its abuses pose a huge threat to the security and privacy-critical applications. Intensive research from academia and industry has produced many deepfake/detection models, leading to a constant race of attack and defense. However, due to the lack of a unified evaluation platform, many critical questions on this subject remain largely unexplored
-
DeepMark: A Scalable and Robust Framework for DeepFake Video Detection ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2024-02-05 Li Tang, Qingqing Ye, Haibo Hu, Qiao Xue, Yaxin Xiao, Jin Li
With the rapid growth of DeepFake video techniques, it becomes increasingly challenging to identify them visually, posing a huge threat to our society. Unfortunately, existing detection schemes are limited to exploiting the artifacts left by DeepFake manipulations, so they struggle to keep pace with the ever-improving DeepFake models. In this work, we propose DeepMark, a scalable and robust framework
-
On Detecting and Measuring Exploitable JavaScript Functions in Real-world Applications ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2024-02-05 Maryna Kluban, Mohammad Mannan, Amr Youssef
JavaScript is often rated as the most popular programming language for the development of both client-side and server-side applications. Because of its popularity, JavaScript has become a frequent target for attackers who exploit vulnerabilities in the source code to take control over the application. To address these JavaScript security issues, such vulnerabilities must be identified first. Existing
-
Efficient History-Driven Adversarial Perturbation Distribution Learning in Low Frequency Domain ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2024-01-10 Han Cao, Qindong Sun, Yaqi Li, Rong Geng, Xiaoxiong Wang
The existence of adversarial image makes us have to doubt the credibility of artificial intelligence system. Attackers can use carefully processed adversarial images to carry out a variety of attacks. Inspired by the theory of image compressed sensing, this paper proposes a new black-box attack, \(\mathcal {N}\text{-HSA}_{LF}\). It uses covariance matrix adaptive evolution strategy (CMA-ES) to learn
-
Sound-based Two-factor Authentication: Vulnerabilities and Redesign ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2024-01-10 Prakash Shrestha, Ahmed Tanvir Mahdad, Nitesh Saxena
Reducing the level of user effort involved in traditional two-factor authentication (TFA) constitutes an important research topic. An interesting representative approach, Sound-Proof, leverages ambient sounds to detect the proximity between the second-factor device (phone) and the login terminal (browser), and it eliminates the need for the user to transfer PIN codes. In this article, we identify a
-
OptiClass: An Optimized Classifier for Application Layer Protocols Using Bit Level Signatures ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2024-01-10 Mayank Swarnkar, Neha Sharma
Network traffic classification has many applications, such as security monitoring, quality of service, traffic engineering, and so on. For the aforementioned applications, Deep Packet Inspection (DPI) is a popularly used technique for traffic classification because it scrutinizes the payload and provides comprehensive information for accurate analysis of network traffic. However, DPI-based methods
-
Eyes See Hazy while Algorithms Recognize Who You Are ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2024-01-10 Yong Zeng, Jiale Liu, Tong Dong, Qingqi Pei, Jianfeng Ma, Yao Liu
Facial recognition technology has been developed and widely used for decades. However, it has also made privacy concerns and researchers’ expectations for facial recognition privacy-preserving technologies. To provide privacy, detailed or semantic contents in face images should be obfuscated. However, face recognition algorithms have to be tailor-designed according to current obfuscation methods, as
-
An Experimental Assessment of Inconsistencies in Memory Forensics ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-12-12 Jenny Ottmann, Frank Breitinger, Felix Freiling
Memory forensics is concerned with the acquisition and analysis of copies of volatile memory (memory dumps). Based on an empirical assessment of observable inconsistencies in 360 memory dumps of a running Linux system, we confirm a state of overwhelming inconsistency in memory forensics: almost a third of these dumps had an empty process list and was therefore obviously incomplete. Out of those dumps
-
Spoofing Against Spoofing: Toward Caller ID Verification in Heterogeneous Telecommunication Systems ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-12-12 Shen Wang, Mahshid Delavar, Muhammad Ajmal Azad, Farshad Nabizadeh, Steve Smith, Feng Hao
Caller ID spoofing is a global industry problem and often acts as a critical enabler for telephone fraud. To address this problem, the Federal Communications Commission has mandated telecom providers in the U.S. to implement STIR/SHAKEN, an industry-driven solution based on digital signatures. STIR/SHAKEN relies on a public key infrastructure (PKI) to manage digital certificates, but scaling up this
-
Forward Security with Crash Recovery for Secure Logs ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-12-12 Erik-Oliver Blass, Guevara Noubir
Logging is a key mechanism in the security of computer systems. Beyond supporting important forward security properties, it is critical that logging withstands both failures and intentional tampering to prevent subtle attacks leaving the system in an inconsistent state with inconclusive evidence. We propose new techniques combining forward security with crash recovery for secure log data storage. As
-
symbSODA: Configurable and Verifiable Orchestration Automation for Active Malware Deception ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-11-13 Md Sajidul Islam Sajid, Jinpeng Wei, Ehab Al-Shaer, Qi Duan, Basel Abdeen, Latifur Khan
Malware is commonly used by adversaries to compromise and infiltrate cyber systems in order to steal sensitive information or destroy critical assets. Active Cyber Deception (ACD) has emerged as an effective proactive cyber defense against malware to enable misleading adversaries by presenting fake data and engaging them to learn novel attack techniques. However, real-time malware deception is a complex
-
Semi-Supervised Classification of Malware Families Under Extreme Class Imbalance via Hierarchical Non-Negative Matrix Factorization with Automatic Model Selection ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-11-13 Maksim E. Eren, Manish Bhattarai, Robert J. Joyce, Edward Raff, Charles Nicholas, Boian S. Alexandrov
Identification of the family to which a malware specimen belongs is essential in understanding the behavior of the malware and developing mitigation strategies. Solutions proposed by prior work, however, are often not practicable due to the lack of realistic evaluation factors. These factors include learning under class imbalance, the ability to identify new malware, and the cost of production-quality
-
Measures of Information Leakage for Incomplete Statistical Information: Application to a Binary Privacy Mechanism ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-11-13 Shahnewaz Karim Sakib, George T Amariucai, Yong Guan
Information leakage is usually defined as the logarithmic increment in the adversary’s probability of correctly guessing the legitimate user’s private data or some arbitrary function of the private data when presented with the legitimate user’s publicly disclosed information. However, this definition of information leakage implicitly assumes that both the privacy mechanism and the prior probability
-
SAM: Query-efficient Adversarial Attacks against Graph Neural Networks ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-11-13 Chenhan Zhang, Shiyao Zhang, James J. Q. Yu, Shui Yu
Recent studies indicate that Graph Neural Networks (GNNs) are vulnerable to adversarial attacks. Particularly, adversarially perturbing the graph structure, e.g., flipping edges, can lead to salient degeneration of GNNs’ accuracy. In general, efficiency and stealthiness are two significant metrics to evaluate an attack method in practical use. However, most prevailing graph structure-based attack methods
-
System Auditing for Real-Time Systems ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-11-13 Ayoosh Bansal, Anant Kandikuppa, Monowar Hasan, Chien-Ying Chen, Adam Bates, Sibin Mohan
System auditing is an essential tool for detecting malicious events and conducting forensic analysis. Although used extensively on general-purpose systems, auditing frameworks have not been designed with consideration for the unique constraints and properties of Real-Time Systems (RTS). System auditing could provide tremendous benefits for security-critical RTS. However, a naive deployment of auditing
-
Lightbox: Sensor Attack Detection for Photoelectric Sensors via Spectrum Fingerprinting ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-10-14 Dohyun Kim, Mangi Cho, Hocheol Shin, Jaehoon Kim, Juhwan Noh, Yongdae Kim
Photoelectric sensors are utilized in a range of safety-critical applications, such as medical devices and autonomous vehicles. However, the public exposure of the input channel of a photoelectric sensor makes it vulnerable to malicious inputs. Several studies have suggested possible attacks on photoelectric sensors by injecting malicious signals. While a few defense techniques have been proposed against
-
TLS-MHSA: An Efficient Detection Model for Encrypted Malicious Traffic based on Multi-Head Self-Attention Mechanism ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-10-14 Jinfu Chen, Luo Song, Saihua Cai, Haodi Xie, Shang Yin, Bilal Ahmad
In recent years, the use of TLS (Transport Layer Security) protocol to protect communication information has become increasingly popular as users are more aware of network security. However, hackers have also exploited the salient features of the TLS protocol to carry out covert malicious attacks, which threaten the security of network space. Currently, the commonly used traffic detection methods are
-
Fraud Detection under Siege: Practical Poisoning Attacks and Defense Strategies ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-10-14 Tommaso Paladini, Francesco Monti, Mario Polino, Michele Carminati, Stefano Zanero
Machine learning (ML) models are vulnerable to adversarial machine learning (AML) attacks. Unlike other contexts, the fraud detection domain is characterized by inherent challenges that make conventional approaches hardly applicable. In this article, we extend the application of AML techniques to the fraud detection task by studying poisoning attacks and their possible countermeasures. First, we present
-
B3: Backdoor Attacks against Black-box Machine Learning Models ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-08-08 Xueluan Gong, Yanjiao Chen, Wenbin Yang, Huayang Huang, Qian Wang
Backdoor attacks aim to inject backdoors to victim machine learning models during training time, such that the backdoored model maintains the prediction power of the original model towards clean inputs and misbehaves towards backdoored inputs with the trigger. The reason for backdoor attacks is that resource-limited users usually download sophisticated models from model zoos or query the models from
-
Mechanized Proofs of Adversarial Complexity and Application to Universal Composability ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-07-19 Manuel Barbosa, Gilles Barthe, Benjamin Grégoire, Adrien Koutsos, Pierre-Yves Strub
In this work, we enhance the EasyCrypt proof assistant to reason about the computational complexity of adversaries. The key technical tool is a Hoare logic for reasoning about computational complexity (execution time and oracle calls) of adversarial computations. Our Hoare logic is built on top of the module system used by EasyCrypt for modeling adversaries. We prove that our logic is sound w.r.t.
-
Defending Against Membership Inference Attacks on Beacon Services ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-07-19 Rajagopal Venkatesaramani, Zhiyu Wan, Bradley A. Malin, Yevgeniy Vorobeychik
Large genomic datasets are created through numerous activities, including recreational genealogical investigations, biomedical research, and clinical care. At the same time, genomic data has become valuable for reuse beyond their initial point of collection, but privacy concerns often hinder access. Beacon services have emerged to broaden accessibility to such data. These services enable users to query
-
Euler: Detecting Network Lateral Movement via Scalable Temporal Link Prediction ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-06-27 Isaiah J. King, H. Howie Huang
Lateral movement is a key stage of system compromise used by advanced persistent threats. Detecting it is no simple task. When network host logs are abstracted into discrete temporal graphs, the problem can be reframed as anomalous edge detection in an evolving network. Research in modern deep graph learning techniques has produced many creative and complicated models for this task. However, as is
-
A Vulnerability Assessment Framework for Privacy-preserving Record Linkage ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-06-27 Anushka Vidanage, Peter Christen, Thilina Ranbaduge, Rainer Schnell
The linkage of records to identify common entities across multiple data sources has gained increasing interest over the last few decades. In the absence of unique entity identifiers, quasi-identifying attributes such as personal names and addresses are generally used to link records. Due to privacy concerns that arise when such sensitive information is used, privacy-preserving record linkage (PPRL)
-
Privacy-preserving Decentralized Federated Learning over Time-varying Communication Graph ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-06-26 Yang Lu, Zhengxin Yu, Neeraj Suri
Establishing how a set of learners can provide privacy-preserving federated learning in a fully decentralized (peer-to-peer, no coordinator) manner is an open problem. We propose the first privacy-preserving consensus-based algorithm for the distributed learners to achieve decentralized global model aggregation in an environment of high mobility, where participating learners and the communication graph
-
Privacy-preserving Resilient Consensus for Multi-agent Systems in a General Topology Structure ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-06-26 Jian Hou, Jing Wang, Mingyue Zhang, Zhi Jin, Chunlin Wei, Zuohua Ding
Recent advances of consensus control have made it significant in multi-agent systems such as in distributed machine learning, distributed multi-vehicle cooperative systems. However, during its application it is crucial to achieve resilience and privacy; specifically, when there are adversary/faulty nodes in a general topology structure, normal agents can also reach consensus while keeping their actual
-
The Multi-User Constrained Pseudorandom Function Security of Generalized GGM Trees for MPC and Hierarchical Wallets ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-06-26 Chun Guo, Xiao Wang, Xiang Xie, Yu Yu
Multi-user (mu) security considers large-scale attackers that, given access to a number of cryptosystem instances, attempt to compromise at least one of them. We initiate the study of mu security of the so-called GGM tree that stems from the pseudorandom generator to pseudorandom function transformation of Goldreich, Goldwasser, and Micali, with a goal to provide references for its recently popularized
-
Beyond Gradients: Exploiting Adversarial Priors in Model Inversion Attacks ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-06-26 Dmitrii Usynin, Daniel Rueckert, Georgios Kaissis
Collaborative machine learning settings such as federated learning can be susceptible to adversarial interference and attacks. One class of such attacks is termed model inversion attacks, characterised by the adversary reverse-engineering the model into disclosing the training data. Previous implementations of this attack typically only rely on the shared data representations, ignoring the adversarial
-
End-to-End Security for Distributed Event-driven Enclave Applications on Heterogeneous TEEs ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-06-26 Gianluca Scopelliti, Sepideh Pouyanrad, Job Noorman, Fritz Alder, Christoph Baumann, Frank Piessens, Jan Tobias Mühlberg
This article presents an approach to provide strong assurance of the secure execution of distributed event-driven applications on shared infrastructures, while relying on a small Trusted Computing Base. We build upon and extend security primitives provided by Trusted Execution Environments (TEEs) to guarantee authenticity and integrity properties of applications, and to secure control of input and
-
Resilience-by-design in Adaptive Multi-agent Traffic Control Systems ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-06-26 Ranwa Al Mallah, Talal Halabi, Bilal Farooq
Connected and Autonomous Vehicles (CAVs) with their evolving data gathering capabilities will play a significant role in road safety and efficiency applications supported by Intelligent Transport Systems (ITSs), such as Traffic Signal Control (TSC) for urban traffic congestion management. However, their involvement will expand the space of security vulnerabilities and create larger threat vectors.
-
B3: Backdoor Attacks Against Black-Box Machine Learning Models ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-06-22 Xueluan Gong, Yanjiao Chen, Wenbin Yang, Huayang Huang, Qian Wang
Backdoor attacks aim to inject backdoors to victim machine learning models during training time, such that the backdoored model maintains the prediction power of the original model towards clean inputs and misbehaves towards backdoored inputs with the trigger. The reason for backdoor attacks is that resource-limited users usually download sophisticated models from model zoos or query the models from
-
Costs and Benefits of Authentication Advice ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-05-13 Hazel Murray, David Malone
Authentication security advice is given with the goal of guiding users and organisations towards secure actions and practices. In this article, a taxonomy of 270 pieces of authentication advice is created, and a survey is conducted to gather information on the costs associated with following or enforcing the advice. Our findings indicate that security advice can be ambiguous and contradictory, with
-
PrivExtractor: Toward Redressing the Imbalance of Understanding between Virtual Assistant Users and Vendors ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-05-13 Tom Bolton, Tooska Dargahi, Sana Belguith, Carsten Maple
The use of voice-controlled virtual assistants (VAs) is significant, and user numbers increase every year. Extensive use of VAs has provided the large, cash-rich technology companies who sell them with another way of consuming users’ data, providing a lucrative revenue stream. Whilst these companies are legally obliged to treat users’ information “fairly and responsibly,” artificial intelligence techniques
-
Privacy Policies across the Ages: Content of Privacy Policies 1996–2021 ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-05-13 Isabel Wagner
It is well known that most users do not read privacy policies but almost always tick the box to agree with them. While the length and readability of privacy policies have been well studied and many approaches for policy analysis based on natural language processing have been proposed, existing studies are limited in their depth and scope, often focusing on a small number of data practices at single
-
Energy Efficient and Secure Neural Network–based Disease Detection Framework for Mobile Healthcare Network ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-04-15 Sona Alex, Dhanaraj K. J., Deepthi P. P.
Adopting mobile healthcare network (MHN) services such as disease detection is fraught with concerns about the security and privacy of the entities involved and the resource restrictions at the Internet of Things (IoT) nodes. Hence, the essential requirements for disease detection services are to (i) produce accurate and fast disease detection without jeopardizing the privacy of health clouds and medical
-
SoK: Human-centered Phishing Susceptibility ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-04-14 Sijie Zhuo, Robert Biddle, Yun Sing Koh, Danielle Lottridge, Giovanni Russello
Phishing is recognized as a serious threat to organizations and individuals. While there have been significant technical advances in blocking phishing attacks, end-users remain the last line of defence after phishing emails reach their email inboxes. Most of the existing literature on this subject has focused on the technical aspects related to phishing. The factors that cause humans to be susceptible
-
Stateful Protocol Composition in Isabelle/HOL ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-04-14 Andreas V. Hess, Sebastian A. MÖdersheim, Achim D. Brucker
Communication networks like the Internet form a large distributed system where a huge number of components run in parallel, such as security protocols and distributed web applications. For what concerns security, it is obviously infeasible to verify them all at once as one monolithic entity; rather, one has to verify individual components in isolation. While many typical components like TLS have been
-
VulANalyzeR: Explainable Binary Vulnerability Detection with Multi-task Learning and Attentional Graph Convolution ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-04-14 Litao Li, Steven H. H. Ding, Yuan Tian, Benjamin C. M. Fung, Philippe Charland, Weihan Ou, Leo Song, Congwei Chen
Software vulnerabilities have been posing tremendous reliability threats to the general public as well as critical infrastructures, and there have been many studies aiming to detect and mitigate software defects at the binary level. Most of the standard practices leverage both static and dynamic analysis, which have several drawbacks like heavy manual workload and high complexity. Existing deep learning-based
-
Balancing Security and Privacy in Genomic Range Queries ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-03-13 Seoyeon Hwang, Ercan Ozturk, Gene Tsudik
Exciting recent advances in genome sequencing, coupled with greatly reduced storage and computation costs, make genomic testing increasingly accessible to individuals. Already today, one’s digitized DNA can be easily obtained from a sequencing lab and later used to conduct numerous tests by engaging with a testing facility. Due to the inherent sensitivity of genetic material and the often-proprietary
-
RansomShield: A Visualization Approach to Defending Mobile Systems Against Ransomware ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-03-13 Nada Lachtar, Duha Ibdah, Hamza Khan, Anys Bacha
The unprecedented growth in mobile systems has transformed the way we approach everyday computing. Unfortunately, the emergence of a sophisticated type of malware known as ransomware poses a great threat to consumers of this technology. Traditional research on mobile malware detection has focused on approaches that rely on analyzing bytecode for uncovering malicious apps. However, cybercriminals can
-
Performance and Usability Evaluation of Brainwave Authentication Techniques with Consumer Devices ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2023-03-13 Patricia Arias-Cabarcos, Matin Fallahi, Thilo Habrich, Karen Schulze, Christian Becker, Thorsten Strufe
Brainwaves have demonstrated to be unique enough across individuals to be useful as biometrics. They also provide promising advantages over traditional means of authentication, such as resistance to external observability, revocability, and intrinsic liveness detection. However, most of the research so far has been conducted with expensive, bulky, medical-grade helmets, which offer limited applicability
-
Log-related Coding Patterns to Conduct Postmortems of Attacks in Supervised Learning-based Projects ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2022-12-14 Farzana Ahamed Bhuiyan, Akond Rahman
Adversarial attacks against supervised learning algorithms, which necessitates the application of logging while using supervised learning algorithms in software projects. Logging enables practitioners to conduct postmortem analysis, which can be helpful to diagnose any conducted attacks. We conduct an empirical study to identify and characterize log-related coding patterns, i.e., recurring coding patterns
-
Assessing Cyber Risk in Cyber-Physical Systems Using the ATT&CK Framework ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2022-11-21 Ahmed Amro, Vasileios Gkioulos, Sokratis Katsikas
Autonomous transport receives increasing attention, with research and development activities already providing prototype implementations. In this article we focus on Autonomous Passenger Ships (APS), which are being considered as a solution for passenger transport across urban waterways. The ambition of the authors has been to examine the safety and security implications of such a Cyber Physical System
-
Revisiting the Security of Biometric Authentication Systems Against Statistical Attacks ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2022-11-19 Sohail Habib, Hassan Khan, Andrew Hamilton-Wright, Urs Hengartner
The uniqueness of behavioural biometrics (e.g., voice or keystroke patterns) has been challenged by recent works. Statistical attacks have been proposed that infer general population statistics and target behavioural biometrics against a particular victim. We show that despite their success, these approaches require several attempts for successful attacks against different biometrics due to the different
-
Assessment Framework for the Identification and Evaluation of Main Features for Distributed Usage Control Solutions ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2022-11-11 Gonzalo Gil, Aitor Arnaiz, Mariví Higuero, Francisco Javier Diez
Data exchange between organizations is becoming an increasingly significant issue due to the great opportunities it presents. However, there is great reluctance to share if data sovereignty is not provided. Providing it calls for not only access control but also usage control implemented in distributed systems. Access control is a research field where there has been a great deal of work, but usage
-
Automated Security Assessments of Amazon Web Service Environments ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2022-11-09 Viktor Engström, Pontus Johnson, Robert Lagerström, Erik Ringdahl, Max Wällstedt
Migrating enterprises and business capabilities to cloud platforms like Amazon Web Services (AWS) has become increasingly common. However, securing cloud operations, especially at large scales, can quickly become intractable. Customer-side issues such as service misconfigurations, data breaches, and insecure changes are prevalent. Furthermore, cloud-specific tactics and techniques paired with application
-
Industrial Control Systems Security via Runtime Enforcement ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2022-11-09 Ruggero Lanotte, Massimo Merro, Andrei Munteanu
With the advent of Industry 4.0, industrial facilities and critical infrastructures are transforming into an ecosystem of heterogeneous physical and cyber components, such as programmable logic controllers, increasingly interconnected and therefore exposed to cyber-physical attacks, i.e., security breaches in cyberspace that may adversely affect the physical processes underlying industrial control
-
Secure and Reliable Network Updates ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2022-11-09 James Lembke, Srivatsan Ravi, Pierre-Louis Roman, Patrick Eugster
Software-defined wide area networking (SD-WAN) enables dynamic network policy control over a large distributed network via network updates. To be practical, network updates must be consistent (i.e., free of transient errors caused by updates to multiple switches), secure (i.e., only be executed when sent from valid controllers), and reliable (i.e., function despite the presence of faulty or malicious
-
Differentially Private Real-Time Release of Sequential Data ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2022-11-07 Xueru Zhang, Mohammad Mahdi Khalili, Mingyan Liu
Many data analytics applications rely on temporal data, generated (and possibly acquired) sequentially for online analysis. How to release this type of data in a privacy-preserving manner is of great interest and more challenging than releasing one-time, static data. Because of the (potentially strong) temporal correlation within the data sequence, the overall privacy loss can accumulate significantly
-
Contact Discovery in Mobile Messengers: Low-cost Attacks, Quantitative Analyses, and Efficient Mitigations ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2022-11-07 Christoph Hagen, Christian Weinert, Christoph Sendner, Alexandra Dmitrienko, Thomas Schneider
Contact discovery allows users of mobile messengers to conveniently connect with people in their address book. In this work, we demonstrate that severe privacy issues exist in currently deployed contact discovery methods and propose suitable mitigations. Our study of three popular messengers (WhatsApp, Signal, and Telegram) shows that large-scale crawling attacks are (still) possible. Using an accurate
-
A Systematic Analysis of the Capital One Data Breach: Critical Lessons Learned ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2022-11-07 Shaharyar Khan, Ilya Kabanov, Yunke Hua, Stuart Madnick
The 2019 Capital One data breach was one of the largest data breaches impacting the privacy and security of personal information of over a 100 million individuals. In most reports about a cyberattack, you will often hear that it succeeded because a single employee clicked on a link in a phishing email or forgot to patch some software, making it seem like an isolated, one-off, trivial problem involving
-
What Users Want From Cloud Deletion and the Information They Need: A Participatory Action Study ACM Trans. Priv. Secur. (IF 2.3) Pub Date : 2022-11-07 Kopo Marvin Ramokapane, Jose Such, Awais Rashid
Current cloud deletion mechanisms fall short in meeting users’ various deletion needs. They assume all data is deleted the same way—data is temporally removed (or hidden) from users’ cloud accounts before being completely deleted. This assumption neglects users’ desire to have data completely deleted instantly or their preference to have it recoverable for a more extended period. To date, these preferences