Biblio

Biometry is often used as a part of the multi-factor authentication in order to improve the security of IT systems. In this paper, we propose the palmprint-based solution for user identity verification. In particular, we present a new approach to feature extraction. The proposed method is based both on texture and color information. Our experiments show that using the proposed hybrid features allows for achieving satisfactory accuracy without increasing requirements for additional computational resources. It is important from our perspective since the proposed method is dedicated to smartphones and other handhelds in mobile verification scenarios.

BYOD (Bring Your Own Device) trends allows employees to use the smartphone as a tool in everyday work and also as an attendance device. The security of employee attendance system is important to ensure that employees do not commit fraud in recording attendance and when monitoring activities at working hours. In this paper, we propose a combination of fingerprint, secure android ID, and GPS as authentication factors, also addition of anti emulator and anti fake location module turn Mobile Attendance System into Mobile Secure Attendance System. Testing based on scenarios that have been adapted to various possible frauds is done to prove whether the system can minimize the occurrence of fraud in attendance recording and monitoring of employee activities.

ARGOS is a web service we implemented to offer face recognition Authentication Services (AaaS) to mobile and desktop (via the web browser) end users. The Authentication Services may be used by 3rd party service organizations to enhance their service offering to their customers. ARGOS implements a secure face recognition-based authentication service aiming to provide simple and intuitive tools for 3rd party service providers (like PayPal, banks, e-commerce etc) to replace passwords with face biometrics. It supports authentication from any device with 2D or 3D frontal facing camera (mobile phones, laptops, tablets etc.) and almost any operating systems (iOS, Android, Windows and Linux Ubuntu).

Trusted Execution Environments (TEEs) provide hardware support to isolate the execution of sensitive operations on mobile phones for improved security. However, they are not always available to use for application developers. To provide a consistent user experience to those who have and do not have a TEE-enabled device, we could get help from Open-TEE, an open-source GlobalPlatform (GP)-compliant software TEE emulator. However, Open-TEE does not offer any of the security properties hardware TEEs have. In this paper, we propose WhiteBox-TEE which integrates white-box cryptography with Open-TEE to provide better security while still remaining complaint with GP TEE specifications. We discuss the architecture, provisioning mechanism, implementation highlights, security properties and performance issues of WhiteBox-TEE and propose possible revisions to TEE specifications to have better use of white-box cryptography in software-only TEEs.

Authorizing access to the public cloud has evolved over the last few years, from simple user authentication and password authentication to two-factor authentication (TOTP), with the addition of an additional field for entering a unique code. Today it is used by almost all major websites such as Facebook, Microsoft, Apple and is a frequently used solution for banking websites. On the other side, the private cloud solutions like OpenStack, CloudStack or Eucalyptus doesn't offer this security improvement. This article is presenting the advantages of this new type of authentication and synthetizes the TOTP authentication forms used by major cloud providers. Furthermore, the article is proposing to solve this challenge by presenting a practical solution for adding two-factor authentication for OpenStack cloud. For this purpose, the web authentication form has been modified and a new authentication module has been developed. The present document covers as well the entire process of adding a TOTP user, generating and sending the secret code in QR form to the user. The study concludes with OpenStack tools used for simplifying the entire process presented above.

Mobile payment has drawn considerable attention due to its convenience of paying via personal mobile devices at anytime and anywhere, and passcodes (i.e., PINs or patterns) are the first choice of most consumers to authorize the payment. This paper demonstrates a serious security breach and aims to raise the awareness of the public that the passcodes for authorizing transactions in mobile payments can be leaked by exploiting the embedded sensors in wearable devices (e.g., smartwatches). We present a passcode inference system, WristSpy, which examines to what extent the user's PIN/pattern during the mobile payment could be revealed from a single wrist-worn wearable device under different passcode input scenarios involving either two hands or a single hand. In particular, WristSpy has the capability to accurately reconstruct fine-grained hand movement trajectories and infer PINs/patterns when mobile and wearable devices are on two hands through building a Euclidean distance-based model and developing a training-free parallel PIN/pattern inference algorithm. When both devices are on the same single hand, a highly challenging case, WristSpy extracts multi-dimensional features by capturing the dynamics of minute hand vibrations and performs machine-learning based classification to identify PIN entries. Extensive experiments with 15 volunteers and 1600 passcode inputs demonstrate that an adversary is able to recover a user's PIN/pattern with up to 92% success rate within 5 tries under various input scenarios.

On ARM processors with TrustZone security extension, asynchronous introspection mechanisms have been developed in the secure world to detect security policy violations in the normal world. These mechanisms provide security protection via passively checking the normal world snapshot. However, since previous secure world checking solutions require to suspend the entire rich OS, asynchronous introspection has not been widely adopted in the real world. Given a multi-core ARM system that can execute the two worlds simultaneously on different cores, secure world introspection can check the rich OS without suspension. However, we identify a new normal-world evasion attack that can defeat the asynchronous introspection by removing the attacking traces in parallel from one core when the security checking is performing on another core. We perform a systematic study on this attack and present its efficiency against existing asynchronous introspection mechanisms. As the countermeasure, we propose a secure and trustworthy asynchronous introspection mechanism called SATIN, which can efficiently detect the evasion attacks by increasing the attackers' evasion time cost and decreasing the defender's execution time under a safe limit. We implement a prototype on an ARM development board and the experimental results show that SATIN can effectively prevent evasion attacks on multi-core systems with a minor system overhead.

This paper presents the details of the roving proxy framework for SMS spam and SMS phishing (SMishing) detection. The framework aims to protect organizations and enterprises from the danger of SMishing attacks. Feasibility and functionality studies of the framework are presented along with an update process study to define the minimum requirements for the system to adapt with the latest spam and SMishing trends.

Researchers and industry experts are looking at how to improve a shopper's experience and a store's revenue by leveraging and integrating technologies at the edges of the network, such as Internet-of-Things (IoT) devices, cloud-based systems, and mobile applications. The integration of IoT technology can now be used to improve purchasing incentives through the use of electronic coupons. Research has shown that targeted electronic coupons are the most effective and coupons presented to the shopper when they are near the products capture the most shoppers' dollars. Although it is easy to imagine coupons being broadcast to a shopper's mobile device over a low-power wireless channel, such a solution must be able to advertise many products, target many individual shoppers, and at the same time, provide shoppers with their desired level of privacy. To support this type of IoT-enabled shopping experience, we have designed Aggio, an electronic coupon distribution system that enables the distribution of localized, targeted coupons while supporting user privacy and security. Aggio uses cryptographic mechanisms to not only provide security but also to manage shopper groups e.g., bronze, silver, and gold reward programs) and minimize resource usage, including bandwidth and energy. The novel use of cryptographic management of coupons and groups allows Aggio to reduce bandwidth use, as well as reduce the computing and energy resources needed to process incoming coupons. Through the use of local coupon storage on the shopper's mobile device, the shopper does not need to query the cloud and so does not need to expose all of the details of their shopping decisions. Finally, the use of privacy preserving communication between the shopper's mobile device and the CouponHubs that are distributed throughout the retail environment allows the shopper to expose their location to the store without divulging their location to all other shoppers present in the store.

The barcode is an important link between real life and the virtual world nowadays. One of the most common barcodes is QR code, which its appearance, black and white modules, is not visually pleasing. The QR code is applied to product packaging and campaign promotion in the market. There are more and more stores using QR code for transaction payment. If the QR code is altered or illegally duplicated, it will endanger the information security of users. Therefore, the study uses infrared watermarking to embed the infrared QR code information into the explicit QR code to strengthen the anti-counterfeiting features. The explicit graphic QR code is produced by data hiding with error diffusion in this study. With the optical characteristics of K, one of the four printed ink colors CMYK (Cyan, Magenta, Yellow, Black), only K can be rendered in infrared. Hence, we use the infrared watermarking to embed the implicit QR code information into the explicit graphic QR code. General QR code reader may be used to interpret explicit graphic QR code information. As for implicit QR code, it needs the infrared detector to extract its implicit QR code information. If the QR code is illegally copied, it will not show the hidden second QR code under infrared detection. In this study, infrared watermark hidden in the graphic QR code can enhance not only the aesthetics of QR code, but also the anti-counterfeiting feature. It can also be applied to printing related fields, such as security documents, banknotes, etc. in the future.

Nowadays, The incorporation of different function of the network, as well as routing, administration, and security, is basic to the effective operation of a mobile circumstantial network these days, in MANET thought researchers manages the problems of QoS and security severally. Currently, each the aspects of security and QoS influence negatively on the general performance of the network once thought-about in isolation. In fact, it will influence the exceptionally operating of QoS and security algorithms and should influence the important and essential services needed within the MANET. Our paper outlines 2 accomplishments via; the accomplishment of security and accomplishment of quality. The direction towards achieving these accomplishments is to style and implement a protocol to suite answer for policy-based network administration, and methodologies for key administration and causing of IPsec in a very MANET.

Recent research has proposed middleware to enable efficient distributed apps over mobile-cloud platforms. This paper presents a Context-Aware File Discovery Service (CAFDS) that allows distributed mobile-cloud applications to find and access files of interest shared by collaborating users. CAFDS enables programmers to search for files defined by context and content features, such as location, creation time, or the presence of certain object types within an image file. CAFDS provides low-latency through a cloud-based metadata server, which uses a decision tree to locate the nearest files that satisfy the context and content features requested by applications. We implemented CAFDS in Android and Linux. Experimental results show CAFDS achieves substantially lower latency than peer-to-peer solutions that cannot leverage context information.

Smartphones have evolved over the years from simple devices to communicate with each other to fully functional portable computers although with comparatively less computational power but inholding multiple applications within. With the smartphone revolution, the value of personal data has increased. As technological complexities increase, so do the vulnerabilities in the system. Smartphones are the latest target for attacks. Android being an open source platform and also the most widely used smartphone OS draws the attention of many malware writers to exploit the vulnerabilities of it. Attackers try to take advantage of these vulnerabilities and fool the user and misuse their data. Malwares have come a long way from simple worms to sophisticated DDOS using Botnets, the latest trends in computer malware tend to go in the distributed direction, to evade the multiple anti-virus apps developed to counter generic viruses and Trojans. However, the recent trend in android system is to have a combination of applications which acts as malware. The applications are benign individually but when grouped, these may result into a malicious activity. This paper proposes a new category of distributed malware in android system, how it can be used to evade the current security, and how it can be detected with the help of graph matching algorithm.

Edge computing for mobile devices in vehicular ad hoc networks (VANETs) has to address rogue edge attacks, in which a rogue edge node claims to be the serving edge in the vehicle to steal user secrets and help launch other attacks such as man-in-the-middle attacks. Rogue edge detection in VANETs is more challenging than the spoofing detection in indoor wireless networks due to the high mobility of onboard units (OBUs) and the large-scale network infrastructure with roadside units (RSUs). In this paper, we propose a physical (PHY)- layer rogue edge detection scheme for VANETs according to the shared ambient radio signals observed during the same moving trace of the mobile device and the serving edge in the same vehicle. In this scheme, the edge node under test has to send the physical properties of the ambient radio signals, including the received signal strength indicator (RSSI) of the ambient signals with the corresponding source media access control (MAC) address during a given time slot. The mobile device can choose to compare the received ambient signal properties and its own record or apply the RSSI of the received signals to detect rogue edge attacks, and determines test threshold in the detection. We adopt a reinforcement learning technique to enable the mobile device to achieve the optimal detection policy in the dynamic VANET without being aware of the VANET model and the attack model. Simulation results show that the Q-learning based detection scheme can significantly reduce the detection error rate and increase the utility compared with existing schemes.

The proliferation of Bluetooth mobile device communications into all aspects of modern society raises security questions by both academicians and practitioners. This environment prompted an investigation into the real-world use of Bluetooth protocols along with an analysis of documented security attacks. The experiment discussed in this paper collected data for one week in a local coffee shop. The data collection took about an hour each day and identified 478 distinct devices. The contribution of this research is two-fold. First, it provides insight into real-world Bluetooth protocols that are being utilized by the general public. Second, it provides foundational research that is necessary for future Bluetooth penetration testing research.

Recently, the home healthcare system has emerged as one of the most useful technology for e-healthcare. Contrary to classical recording methods of patient's medical data, which are, based on paper documents, nowadays all this sensitive data can be managed and forwarded through digital systems. These make possible for both patients and healthcare workers to access medical data or receive remote medical treatment using wireless interfaces whenever and wherever. However, simplifying access to these sensitive and private data can directly put patient's health and life in danger. In this paper, we propose a secure and lightweight biometric-based remote patient authentication scheme using elliptic curve encryption through which two mobile healthcare system communication parties could authenticate each other in public mobile healthcare environments. The security and performance analysis demonstrate that our proposal achieves better security than other concurrent schemes, with lower storage, communication and computation costs.

While advances in cyber-security defensive mechanisms have substantially prevented malware from penetrating into organizational Information Systems (IS) networks, organizational users have found themselves vulnerable to threats emanating from Advanced Persistent Threat (APT) vectors, mostly in the form of spear phishing. In this respect, the question of how an organizational user can differentiate between a genuine communication and a similar looking fraudulent communication in an email/APT threat vector remains a dilemma. Therefore, identifying and evaluating the APT vector attributes and assigning relative weights to them can assist the user to make a correct decision when confronted with a scenario that may be genuine or a malicious APT vector. In this respect, we propose an APT Decision Matrix model which can be used as a lens to build multiple APT threat vector scenarios to identify threat attributes and their weights, which can lead to systems compromise.

Real-time crowdsourced maps, such as Waze provide timely updates on traffic, congestion, accidents, and points of interest. In this paper, we demonstrate how lack of strong location authentication allows creation of software-based Sybil devices that expose crowdsourced map systems to a variety of security and privacy attacks. Our experiments show that a single Sybil device with limited resources can cause havoc on Waze, reporting false congestion and accidents and automatically rerouting user traffic. More importantly, we describe techniques to generate Sybil devices at scale, creating armies of virtual vehicles capable of remotely tracking precise movements for large user populations while avoiding detection. To defend against Sybil devices, we propose a new approach based on co-location edges, authenticated records that attest to the one-time physical co-location of a pair of devices. Over time, co-location edges combine to form large proximity graphs that attest to physical interactions between devices, allowing scalable detection of virtual vehicles. We demonstrate the efficacy of this approach using large-scale simulations, and how they can be used to dramatically reduce the impact of the attacks. We have informed Waze/Google team of our research findings. Currently, we are in active collaboration with Waze team to improve the security and privacy of their system.

The plethora of mobile apps introduce critical challenges to digital forensics practitioners, due to the diversity and the large number (millions) of mobile apps available to download from Google play, Apple store, as well as hundreds of other online app stores. Law enforcement investigators often find themselves in a situation that on the seized mobile phone devices, there are many popular and less-popular apps with interface of different languages and functionalities. Investigators would not be able to have sufficient expert-knowledge about every single app, sometimes nor even a very basic understanding about what possible evidentiary data could be discoverable from these mobile devices being investigated. Existing literature in digital forensic field showed that most such investigations still rely on the investigator's manual analysis using mobile forensic toolkits like Cellebrite and Encase. The problem with such manual approaches is that there is no guarantee on the completeness of such evidence discovery. Our goal is to develop an automated mobile app analysis tool to analyze an app and discover what types of and where forensic evidentiary data that app generate and store locally on the mobile device or remotely on external 3rd-party server(s). With the app analysis tool, we will build a database of mobile apps, and for each app, we will create a list of app-generated evidence in terms of data types, locations (and/or sequence of locations) and data format/syntax. The outcome from this research will help digital forensic practitioners to reduce the complexity of their case investigations and provide a better completeness guarantee of evidence discovery, thereby deliver timely and more complete investigative results, and eventually reduce backlogs at crime labs. In this paper, we will present the main technical approaches for us to implement a dynamic Taint analysis tool for Android apps forensics. With the tool, we have analyzed 2,100 real-world Android apps. For each app, our tool produces the list of evidentiary data (e.g., GPS locations, device ID, contacts, browsing history, and some user inputs) that the app could have collected and stored on the devices' local storage in the forms of file or SQLite database. We have evaluated our tool using both benchmark apps and real-world apps. Our results demonstrated that the initial success of our tool in accurately discovering the evidentiary data.

Device-to-device communication is widely used for mobile devices and Internet of Things. Authentication and key agreement are critical to build a secure channel between two devices. However, existing approaches often rely on a pre-built fingerprint database and suffer from low key generation rate. We present GeneWave, a fast device authentication and key agreement protocol for commodity mobile devices. GeneWave first achieves bidirectional initial authentication based on the physical response interval between two devices. To keep the accuracy of interval estimation, we eliminate time uncertainty on commodity devices through fast signal detection and redundancy time cancellation. Then, we derive the initial acoustic channel response for device authentication. We design a novel coding scheme for efficient key agreement while ensuring security. Therefore, two devices can authenticate each other and securely agree on a symmetric key. GeneWave requires neither special hardware nor pre-built fingerprint database, and thus it is easyto-use on commercial mobile devices. We implement GeneWave on mobile devices (i.e., Nexus 5X and Nexus 6P) and evaluate its performance through extensive experiments. Experimental results show that GeneWave efficiently accomplish secure key agreement on commodity smartphones with a key generation rate 10× faster than the state-of-the-art approach.

Visible light communications is an emerging architecture with unlicensed and huge bandwidth resources, security, and experimental implementations and standardization efforts. Display based transmitter and camera based receiver architectures are alternatives for device-to-device (D2D) and home area networking (HAN) systems by utilizing widely available TV, tablet and mobile phone screens as transmitters while commercially available cameras as receivers. Current architectures utilizing data hiding and unobtrusive steganography methods promise data transmission without user distraction on the screen. however, current architectures have challenges with the limited capability of data hiding in translucency or color shift based methods of hiding by uniformly distributing modulation throughout the screen and keeping eye discomfort at an acceptable level. In this article, foveation property of human visual system is utilized to define a novel modulation method denoted by FoVLC which adaptively improves data hiding capability throughout the screen based on the current eye focus point of viewer. Theoretical modeling of modulation and demodulation mechanisms hiding data in color shifts of pixel blocks is provided while experiments are performed for both FoVLC method and uniform data hiding denoted as conventional method. Experimental tests for the simple design as a proof of concept decreases average bit error rate (BER) to approximately half of the value obtained with the conventional method without user distraction while promising future efforts for optimizing block sizes and utilizing error correction codes.

In context of Industry 4.0 Augmented Reality (AR) is frequently mentioned as the upcoming interface technology for human-machine communication and collaboration. Many prototypes have already arisen in both the consumer market and in the industrial sector. According to numerous experts it will take only few years until AR will reach the maturity level to be deployed in productive applications. Especially for industrial usage it is required to assess security risks and challenges this new technology implicates. Thereby we focus on plant operators, Original Equipment Manufacturers (OEMs) and component vendors as stakeholders. Starting from several industrial AR use cases and the structure of contemporary AR applications, in this paper we identify security assets worthy of protection and derive the corresponding security goals. Afterwards we elaborate the threats industrial AR applications are exposed to and develop an edge computing architecture for future AR applications which encompasses various measures to reduce security risks for our stakeholders.

Blockchain has been applied to study data privacy and network security recently. In this paper, we propose a punishment scheme based on the action record on the blockchain to suppress the attack motivation of the edge servers and the mobile devices in the edge network. The interactions between a mobile device and an edge server are formulated as a blockchain security game, in which the mobile device sends a request to the server to obtain real-time service or launches attacks against the server for illegal security gains, and the server chooses to perform the request from the device or attack it. The Nash equilibria (NEs) of the game are derived and the conditions that each NE exists are provided to disclose how the punishment scheme impacts the adversary behaviors of the mobile device and the edge server.

Active authentication is the problem of continuously verifying the identity of a person based on behavioral aspects of their interaction with a computing device. In this paper, we collect and analyze behavioral biometrics data from 200 subjects, each using their personal Android mobile device for a period of at least 30 days. This data set is novel in the context of active authentication due to its size, duration, number of modalities, and absence of restrictions on tracked activity. The geographical colocation of the subjects in the study is representative of a large closed-world environment such as an organization where the unauthorized user of a device is likely to be an insider threat: coming from within the organization. We consider four biometric modalities: 1) text entered via soft keyboard, 2) applications used, 3) websites visited, and 4) physical location of the device as determined from GPS (when outdoors) or WiFi (when indoors). We implement and test a classifier for each modality and organize the classifiers as a parallel binary decision fusion architecture. We are able to characterize the performance of the system with respect to intruder detection time and to quantify the contribution of each modality to the overall performance.

Subscriber Identity Module (SIM) is the backbone of modern mobile communication. SIM can be used to store a number of user sensitive information such as user contacts, SMS, banking information (some banking applications store user credentials on the SIM) etc. Unfortunately, the current SIM model has a major weakness. When the mobile device is lost, an adversary can simply steal a user's SIM and use it. He/she can then extract the user's sensitive information stored on the SIM. Moreover, The adversary can then pose as the user and communicate with the contacts stored on the SIM. This opens up the avenue to a large number of social engineering techniques. Additionally, if the user has provided his/her number as a recovery option for some accounts, the adversary can get access to them. The current methodology to deal with a stolen SIM is to contact your particular service provider and report a theft. The service provider then blocks the services on your SIM, but the adversary still has access to the data which is stored on the SIM. Therefore, a secure scheme is required to ensure that only legal users are able to access and utilize their SIM.