Journal of Computer Security - Volume Pre-press, issue Pre-press

Authors: Salem, Asma | Sharieh, Ahmad | Jabri, Riad

Article Type: Research Article

Abstract: Nowadays, people become more connected to the internet using their mobile devices. They tend to use their critical and sensitive data among many applications. These applications provide security via user authentication. Authentication by passwords is a reliable and efficient access control procedure, but it is not sufficient. Additional procedures are needed to enhance the security of these applications. Keystroke dynamics (KSD) is one of the common behavioral based systems. KSD rhythm uses combinations of timing and non-timing features that are extracted and processed from several devices. This work presents a novel authentication approach based on two factors: password and KSD. …Also, it presents extensive comparative analysis conducted between authentication systems based on KSDs. It proposes a prototype for a keyboard in order to collect timing and non-timing information from KSDs. Hence, the proposed approach uses timing and several non-timing features. These features have a demonstrated significant role for improving the performance measures of KSD behavioral authentication systems. Several experiments have been done and show acceptable level in performance measures as a second authentication factor. The approach has been tested using multiple classifiers. When Random Forest classifier has been used, the approach reached 0% error rate with 100% accuracy for classification. Show more

Keywords: Authentication, security, biometric-based security, keystroke dynamics, random forest classifier, typing behavior

DOI: 10.3233/JCS-210081

Citation: Journal of Computer Security, vol. Pre-press, no. Pre-press, pp. 1-31, 2022

Authors: Chaudhari, Ashish R. | Gohil, Bhavesh N. | Rao, Udai Pratap

Article Type: Research Article

Abstract: Cloud computing provides computing resources, platforms, and applications as a service in a flexible, cost-effective, and efficient way. Cloud computing has integrated with industry and many other fields in recent years, which prompted researchers to look into new technologies. Cloud users have moved their applications, data and services to the Cloud storage due to the availability and scalability of Cloud services. Cloud services and applications are provided through the Internet-based on a pay-per-use model. Plenty of security issues are created due to the migration from local to remote computing for both Cloud users and providers. This paper discusses an overview …of Cloud computing, as well as a study of security issues at various levels of Cloud computing. The article also provides a complete review of security issues with their existing solutions for a better understanding of specific open research issues. Show more

Keywords: Cloud computing, Cloud security, virtualization, security issues, security solutions

DOI: 10.3233/JCS-210140

Citation: Journal of Computer Security, vol. Pre-press, no. Pre-press, pp. 1-27, 2022

Authors: Neves, Flávio | Souza, Rafael | Sousa, Juliana | Bonfim, Michel | Garcia, Vinicius

Article Type: Research Article

Abstract: The Internet of Things (IoT) has shown rapid growth in recent years. However, it presents challenges related to the lack of standardization of communication produced by different types of devices. Another problem area is the security and privacy of data generated by IoT devices. Thus, with the focus on grouping, analyzing, and classifying existing data security and privacy methods in IoT, based on data anonymization, we have conducted a Systematic Literature Review (SLR). We have therefore reviewed the history of works developing solutions for security and privacy in the IoT, particularly data anonymization and the leading technologies used by researchers …in their work. We also discussed the challenges and future directions for research. The objective of the work is to give order to the main approaches that promise to provide or facilitate data privacy using anonymization in the IoT area. The study’s results can help us understand the best anonymization techniques to provide data security and privacy in IoT environments. In addition, the findings can also help us understand the limitations of existing approaches and identify areas for improvement. The results found in most of the studies analyzed indicate a lack of consensus in the following areas: (i) with regard to a solution with a standardized methodology to be applied in all scenarios that encompass IoT; (ii) the use of different techniques to anonymize the data; and (iii), the resolution of privacy issues. On the other hand, results made available by the k-anonymity technique proved efficient in combination with other techniques. In this context, data privacy presents one of the main challenges for broadening secure domains in applying privacy with anonymity. Show more

Keywords: Internet of Things, privacy, data anonymization, k-anonymity, data flow

DOI: 10.3233/JCS-210089

Citation: Journal of Computer Security, vol. Pre-press, no. Pre-press, pp. 1-31, 2023

Authors: Afzali, Hammad | Torres-Arias, Santiago | Curtmola, Reza | Cappos, Justin

Article Type: Research Article

Abstract: Although code review is an essential step for ensuring the quality of software, it is surprising that current code review systems do not have mechanisms to protect the integrity of the code review process. We uncover multiple attacks against the code review infrastructure which are easy to execute, stealthy in nature, and can have a significant impact, such as allowing malicious or buggy code to be merged and propagated to future releases. To improve this status quo, in this work we lay the foundations for securing the code review process. Towards this end, we first identify a set of key …design principles necessary to secure the code review process. We then use these principles to propose SecureReview , a security mechanism that can be applied on top of a Git-based code review system to ensure the integrity of the code review process and provide verifiable guarantees that the code review process followed the intended review policy. We implement SecureReview as a Chrome browser extension for GitHub and Gerrit. Our security analysis shows that SecureReview is effective in mitigating the aforementioned attacks. An experimental evaluation shows that the SecureReview implementation only adds a slight storage overhead (i.e. , less than 0.0006 of the repository size). Show more

Keywords: Code review policy, verifiable code review process, review unit, browser extension, GitHub, Gerrit

DOI: 10.3233/JCS-210098

Citation: Journal of Computer Security, vol. Pre-press, no. Pre-press, pp. 1-32, 2022

Authors: Klenze, Tobias | Sprenger, Christoph | Basin, David

Article Type: Research Article

Abstract: Today’s Internet is built on decades-old networking protocols that lack scalability, reliability and security. In response, the networking community has developed path-aware Internet architectures that solve these problems while simultaneously empowering end hosts to exert some control on their packets’ route through the network. In these architectures, autonomous systems authorize forwarding paths in accordance with their routing policies, and protect these paths using cryptographic authenticators. For each packet, the sending end host selects an authorized path and embeds it and its authenticators in the packet header. This allows routers to efficiently determine how to forward the packet. The central …security property of the data plane, i.e., of forwarding, is that packets can only travel along authorized paths. This property, which we call path authorization , protects the routing policies of autonomous systems from malicious senders. The fundamental role of packet forwarding in the Internet’s ecosystem and the complexity of the authentication mechanisms employed call for a formal analysis. We develop IsaNet, a parameterized verification framework for data plane protocols in Isabelle/HOL. We first formulate an abstract model without an attacker for which we prove path authorization. We then refine this model by introducing a Dolev–Yao attacker and by protecting authorized paths using (generic) cryptographic validation fields. This model is parametrized by the path authorization mechanism and assumes five simple verification conditions. We propose novel attacker models and different sets of assumptions on the underlying routing protocol. We validate our framework by instantiating it with nine concrete protocols variants and prove that they each satisfy the verification conditions (and hence path authorization). The invariants needed for the security proof are proven in the parametrized model instead of the instance models. Our framework thus supports low-effort security proofs for data plane protocols. In contrast to what could be achieved with state-of-the-art automated protocol verifiers, our results hold for arbitrary network topologies and sets of authorized paths. Show more

Keywords: Security protocols, formal verification, future Internet, data plane

DOI: 10.3233/JCS-220021

Citation: Journal of Computer Security, vol. Pre-press, no. Pre-press, pp. 1-43, 2022

Authors: Sempreboni, Diego | Viganò, Luca

Article Type: Research Article

Abstract: There is an increasing number of cyber-systems (e.g., systems for payment, transportation, voting, critical infrastructures) whose security depends intrinsically on human users. In this paper, we introduce a novel approach for the formal and automated analysis of security ceremonies. A security ceremony expands a security protocol to include human nodes alongside computer nodes, with communication links that comprise user interfaces, human-to-human communication and transfers of physical objects that carry data, and thus a ceremony’s security analysis should include, in particular, the mistakes that human users might make when participating actively in the ceremony. Our approach defines mutation rules that model …possible behaviors of a human user, automatically generates mutations in the behavior of the other agents of the ceremony to match the human-induced mutations, and automatically propagates these mutations through the whole ceremony. This allows for the analysis of the original ceremony specification and its possible mutations, which may include the way in which the ceremony has actually been implemented or could be implemented. To automate our approach, we have developed the tool X-Men, which is a prototype that builds on top of Tamarin, one of the most common tools for the automatic unbounded verification of security protocols. As a proof of concept, we have applied our approach to three real-life case studies, uncovering a number of concrete vulnerabilities. Some of these vulnerabilities were so far unknown, whereas others had so far been discovered only by empirical observation of the actual ceremony execution or by directly formalizing alternative models of the ceremony by hand, but X-Men instead allowed us to find them automatically. Show more

Keywords: Security ceremonies, socio-technical security, formal methods, mutations, automated reasoning

DOI: 10.3233/JCS-210075

Citation: Journal of Computer Security, vol. Pre-press, no. Pre-press, pp. 1-72, 2022

Authors: Zhang, Jianfeng | Zhang, Wensheng | Xu, Jingdong

Article Type: Research Article

Abstract: Due to the limited capabilities of user devices, such as smart phones, and the Internet of Things (IoT), edge intelligence is being recognized as a promising paradigm to enable effective analysis of the data generated by these devices with complex artificial intelligence (AI) models, and it often entails either fully or partially offloading the computation of neural networks from user devices to edge computing servers. To protect users’ data privacy in the process, most existing researches assume that the private (sensitive) attributes of user data are known in advance when designing privacy-protection measures. This assumption is restrictive in real life, …and thus limits the application of these methods. Inspired by the research in image steganography and cyber deception, in this paper, we propose StegEdge, a conceptually novel approach to this challenge. StegEdge takes as input the user-generated image and a randomly selected “cover” image that does not pose any privacy concern (e.g., downloaded from the Internet), and extracts the features such that the utility tasks can still be conducted by the edge computing servers, while potential adversaries seeking to reconstruct/recover the original user data or analyze sensitive attributes from the extracted features sent from users to the server, will largely acquire information of the cover image. Thus, users’ data privacy is protected via a form of deception. Empirical results conducted on the CelebA and ImageNet datasets show that, at the same level of accuracy for utility tasks, StegEdge reduces the adversaries’ accuracy of predicting sensitive attributes by up to 38% compared with other methods, while also defending against adversaries seeking to reconstruct user data from the extracted features. Show more

Keywords: Cyber deception, privacy, Internet of Things, edge computing, deep learning inference

DOI: 10.3233/JCS-220042

Citation: Journal of Computer Security, vol. Pre-press, no. Pre-press, pp. 1-25, 2022

Authors: Wanjau, Stephen Kahara | Wambugu, Geoffrey Mariga | Oirere, Aaron Mogeni | Muketha, Geoffrey Muchiri

Article Type: Research Article

Abstract: Increasing interest and advancement of internet and communication technologies have made network security rise as a vibrant research domain. Network intrusion detection systems (NIDSs) have developed as indispensable defense mechanisms in cybersecurity that are employed in discovery and prevention of malicious network activities. In the recent years, researchers have proposed deep learning approaches in the development of NIDSs owing to their ability to extract better representations from large corpus of data. In the literature, convolutional neural network architecture is extensively used for spatial feature learning, while the long short term memory networks are employed to learn temporal features. In this …paper, a novel hybrid method that learn the discriminative spatial and temporal features from the network flow is proposed for detecting network intrusions. A two dimensional convolution neural network is proposed to intelligently extract the spatial characteristics whereas a bi-directional long short term memory is used to extract temporal features of network traffic data samples consequently, forming a deep hybrid neural network architecture for identification and classification of network intrusion samples. Extensive experimental evaluations were performed on two well-known benchmarks datasets: CIC-IDS 2017 and the NSL-KDD datasets. The proposed network model demonstrated state-of-the-art performance with experimental results showing that the accuracy and precision scores of the intrusion detection model are significantly better than those of other existing models. These results depicts the applicability of the proposed model in the spatial-temporal feature learning in network intrusion detection systems. Show more

Keywords: Network intrusion detection, deep learning, spatial feature learning, temporal feature learning, Convolutional Neural Networks, Bi-directional Long Short Term Memory

DOI: 10.3233/JCS-220031

Citation: Journal of Computer Security, vol. Pre-press, no. Pre-press, pp. 1-30, 2023

Authors: Zhang, Yubao | Wang, Haining | Stavrou, Angelos

Article Type: Research Article

Abstract: Online reviews, which play a key role in the ecosystem of nowadays business, have been the primary source of consumer opinions. Due to their importance, professional review writing services are employed for paid reviews and even being exploited to conduct opinion spam. Posting deceptive reviews could mislead customers, yield significant benefits or losses to service vendors, and erode confidence in the entire online purchasing ecosystem. In this paper, we ferret out deceptive reviews originated from professional review writing services. We do so even when reviewers leverage a number of pseudonymous identities to avoid the detection. To unveil the pseudonymous identities …associated with deceptive reviewers, we leverage the multiview clustering method. This enables us to characterize the writing style of reviewers (deceptive vs normal) and cluster the reviewers based on their writing style. Furthermore, we explore different neural network models to model the writing style of deceptive reviews. We select the best performing neural network to generate the representation of reviews. We validate the effectiveness of the multiview clustering framework using real-world Amazon review data under different experimental scenarios. Our results show that our approach outperforms previous research. We further demonstrate its superiority through a large-scale case study based on publicly available Amazon datasets. Show more

Keywords: Multiview clustering, deceptive review detection, neural network

DOI: 10.3233/JCS-220001

Citation: Journal of Computer Security, vol. Pre-press, no. Pre-press, pp. 1-22, 2023

Authors: Han, Ziyang | Ye, Qingqing | Hu, Haibo

Article Type: Research Article

Abstract: Many breakthroughs on security and privacy-preserving techniques have emerged to mitigate the trust loss of cloud hosting environment caused by various types of attacks. To enhance memory-level security of multi-keyword fuzzy search, a widely occurred query request, we take the initiative to apply Trusted Execution Environment (a.k.a TEE) technology to our protocol design which provides hardware-based tamper-proof enclaves. Then we propose the Edit Distance-based Obfuscation Mechanism to further protect the query process executed outside TEE against access pattern leakage. With concerns of practicality and performance, we also propose the two-layer fuzzy index structure and Trend-aware Cache. The former addresses the …space limitation of TEE memory for searching large datasets, while the latter optimizes the cache utility of TEE with trend-aware coordinator to effectively reduce the communication overhead. Show more

Keywords: Keyword Search, Fuzzy Search, Privacy Preservation, Trusted Execution Environment, Cloud Security

DOI: 10.3233/JCS-210145

Citation: Journal of Computer Security, vol. Pre-press, no. Pre-press, pp. 1-24, 2022