Skip to main content
main-content

Tipp

Weitere Kapitel dieses Buchs durch Wischen aufrufen

2020 | OriginalPaper | Buchkapitel

A Risk-Driven Model to Minimize the Effects of Human Factors on Smart Devices

verfasst von : Sandeep Gupta, Attaullah Buriro, Bruno Crispo

Erschienen in: Emerging Technologies for Authorization and Authentication

Verlag: Springer International Publishing

share
TEILEN

Abstract

Human errors exploitation could entail unfavorable consequences to smart device users. Typically, smart devices provide multiple configurable features, e.g., user authentication settings, network selection, application installation, communication interfaces, etc., which users can configure according to their need and convenience. However, untrustworthy features configuration could mount severe risks towards the protection and integrity of data and assets residing on smart devices or to perform security-sensitive activities on smart devices. Conventional security mechanisms mainly focus on preventing and monitoring malware, but they do not perform the runtime vulnerabilities assessment while users use their smart devices. In this paper, we propose a risk-driven model that determines features reliability at runtime by monitoring users’ features usage patterns. The resource access permissions (e.g., ACCESS_INTERNET and ACCESS_NETWORK_STATE) given to an application requiring higher security are revoked in case users configure less reliable features (e.g., open WIFI or HOTSPOT) on their smart devices. Thus, our model dynamically fulfills the security criteria of the security-sensitive applications and revokes resources access permission given to them, until features reliability is set to a secure level. Consequently, smart devices are secured against any runtime vulnerabilities that may surface due to human factors.
Anhänge
Nur mit Berechtigung zugänglich
Literatur
1.
Zurück zum Zitat Gupta, S., Buriro, A., Crispo, B.: Demystifying authentication concepts insmartphones: ways and types to secure access. Mob. Inf. Syst. 2018, 16 p. (2018) Gupta, S., Buriro, A., Crispo, B.: Demystifying authentication concepts insmartphones: ways and types to secure access. Mob. Inf. Syst. 2018, 16 p. (2018)
2.
Zurück zum Zitat He, D., Chan, S., Guizani, M.: Mobile application security: malware threats and defenses. IEEE Wirel. Commun. 22(1), 138–144 (2015) CrossRef He, D., Chan, S., Guizani, M.: Mobile application security: malware threats and defenses. IEEE Wirel. Commun. 22(1), 138–144 (2015) CrossRef
3.
Zurück zum Zitat UcedaVelez, T., Morana, M.M.: Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis. Wiley, Hoboken (2015) CrossRef UcedaVelez, T., Morana, M.M.: Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis. Wiley, Hoboken (2015) CrossRef
5.
Zurück zum Zitat Pieters, W.: Defining “the weakest link” comparative security in complex systems of systems. In: Proceeding of 5th International Conference on Cloud Computing Technology and Science (CloudCom), vol. 2, pp. 39–44. IEEE (2013) Pieters, W.: Defining “the weakest link” comparative security in complex systems of systems. In: Proceeding of 5th International Conference on Cloud Computing Technology and Science (CloudCom), vol. 2, pp. 39–44. IEEE (2013)
6.
Zurück zum Zitat Proctor, R.W., Van Zandt, T.: Human Factors in Simple and Complex Systems. CRC Press, Boca Raton (2018) Proctor, R.W., Van Zandt, T.: Human Factors in Simple and Complex Systems. CRC Press, Boca Raton (2018)
7.
Zurück zum Zitat Li, P., Chen, G., Zhang, L., et al.: Research review and development trends of human reliability analysis techniques. At. Energy Sci. Technol. 45(3), 329–340 (2011) Li, P., Chen, G., Zhang, L., et al.: Research review and development trends of human reliability analysis techniques. At. Energy Sci. Technol. 45(3), 329–340 (2011)
8.
Zurück zum Zitat Gu, T., Li, L., Lu, M., Li, J.: Research on the calculation method of information security risk assessment considering human reliability. In: 2014 International Conference on Reliability, Maintainability and Safety (ICRMS), pp. 457–462. IEEE (2014) Gu, T., Li, L., Lu, M., Li, J.: Research on the calculation method of information security risk assessment considering human reliability. In: 2014 International Conference on Reliability, Maintainability and Safety (ICRMS), pp. 457–462. IEEE (2014)
9.
Zurück zum Zitat Stoneburner, G., Goguen, A., Feringa, A.: Risk Management Guide for Information Technology Systems. NIST Special Publication 800–30 (2002) Stoneburner, G., Goguen, A., Feringa, A.: Risk Management Guide for Information Technology Systems. NIST Special Publication 800–30 (2002)
13.
Zurück zum Zitat Metalidou, E., Marinagi, C., Trivellas, P., Eberhagen, N., Skourlas, C., Giannakopoulos, G.: The human factor of information security: unintentional damage perspective. Soc. Behav. Sci. 147, 424–428 (2014) CrossRef Metalidou, E., Marinagi, C., Trivellas, P., Eberhagen, N., Skourlas, C., Giannakopoulos, G.: The human factor of information security: unintentional damage perspective. Soc. Behav. Sci. 147, 424–428 (2014) CrossRef
14.
Zurück zum Zitat Vidalis, S., Jones, A.: Analyzing threat agents and their attributes. In: ECIW, pp. 369–380 (2005) Vidalis, S., Jones, A.: Analyzing threat agents and their attributes. In: ECIW, pp. 369–380 (2005)
19.
Zurück zum Zitat Iqbal, M.S., Zulkernine, M.: SAM: a secure anti-malware framework for the smartphone operating systems. In: Proceeding of Wireless Communications and Networking Conference (WCNC), pp. 1–6. IEEE (2016) Iqbal, M.S., Zulkernine, M.: SAM: a secure anti-malware framework for the smartphone operating systems. In: Proceeding of Wireless Communications and Networking Conference (WCNC), pp. 1–6. IEEE (2016)
20.
Zurück zum Zitat Yang, T., Yang, Y., Qian, K., Lo, D.C.-T., Qian, Y., Tao, L.: Automated detection and analysis for android ransomware. In: Proceeding of 7th International Symposium on Cyberspace Safety and Security (CSS), pp. 1338–1343. IEEE (2015) Yang, T., Yang, Y., Qian, K., Lo, D.C.-T., Qian, Y., Tao, L.: Automated detection and analysis for android ransomware. In: Proceeding of 7th International Symposium on Cyberspace Safety and Security (CSS), pp. 1338–1343. IEEE (2015)
21.
Zurück zum Zitat Hong, S., Liu, C., Ren, B., Chen, J.: Poster: Sdguard: an android application implementing privacy protection and ransomware detection. In: Proceedings of the 15th Annual International Conference on Mobile Systems, Applications, and Services, pp. 149–149. ACM (2017) Hong, S., Liu, C., Ren, B., Chen, J.: Poster: Sdguard: an android application implementing privacy protection and ransomware detection. In: Proceedings of the 15th Annual International Conference on Mobile Systems, Applications, and Services, pp. 149–149. ACM (2017)
22.
Zurück zum Zitat Joshi, J., Parekh, C.: Android smartphone vulnerabilities: a survey. In: Proceeding of International Conference on Advances in Computing, Communication, & Automation (ICACCA) (Spring), pp. 1–5. IEEE (2016) Joshi, J., Parekh, C.: Android smartphone vulnerabilities: a survey. In: Proceeding of International Conference on Advances in Computing, Communication, & Automation (ICACCA) (Spring), pp. 1–5. IEEE (2016)
23.
Zurück zum Zitat Yang, W., Hu, J., Fernandes, C., Sivaraman, V., Wu, Q.: Vulnerability analysis of iPhone 6. In: Proceeding of 14th Annual Conference on Privacy, Security and Trust (PST), pp. 457–463. IEEE (2016) Yang, W., Hu, J., Fernandes, C., Sivaraman, V., Wu, Q.: Vulnerability analysis of iPhone 6. In: Proceeding of 14th Annual Conference on Privacy, Security and Trust (PST), pp. 457–463. IEEE (2016)
27.
Zurück zum Zitat Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., Dolev, S., Glezer, C.: Google android: a comprehensive security assessment. IEEE Secur. Priv. 8(2), 35–44 (2010) CrossRef Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., Dolev, S., Glezer, C.: Google android: a comprehensive security assessment. IEEE Secur. Priv. 8(2), 35–44 (2010) CrossRef
29.
Zurück zum Zitat Lindorfer, M., Neugschwandtner, M., Platzer, C.: Marvin: efficient and comprehensive mobile app classification through static and dynamic analysis. In: 39th Annual Computer Software and Applications Conference (COMPSAC), vol. 2, pp. 422–433. IEEE (2015) Lindorfer, M., Neugschwandtner, M., Platzer, C.: Marvin: efficient and comprehensive mobile app classification through static and dynamic analysis. In: 39th Annual Computer Software and Applications Conference (COMPSAC), vol. 2, pp. 422–433. IEEE (2015)
30.
Zurück zum Zitat Aytes, K.: Computer security and risky computing practices: a rational choice perspective. In: Information Security and Ethics: Concepts, Methodologies, Tools, and Applications, pp. 1994–2011. IGI Global (2008) Aytes, K.: Computer security and risky computing practices: a rational choice perspective. In: Information Security and Ethics: Concepts, Methodologies, Tools, and Applications, pp. 1994–2011. IGI Global (2008)
31.
Zurück zum Zitat Modarres, M., Kaminskiy, M.P., Krivtsov, V.: Reliability Engineering and Risk Analysis: A Practical Guide. CRC Press, Boca Raton (2016) CrossRef Modarres, M., Kaminskiy, M.P., Krivtsov, V.: Reliability Engineering and Risk Analysis: A Practical Guide. CRC Press, Boca Raton (2016) CrossRef
33.
Zurück zum Zitat Harbach, M., Von Zezschwitz, E., Fichtner, A., De Luca, A., Smith, M.: It’s a hard lock life: a field study of smartphone (un) locking behavior and risk perception. In: Symposium on usable privacy and security (SOUPS), pp. 213–230 (2014) Harbach, M., Von Zezschwitz, E., Fichtner, A., De Luca, A., Smith, M.: It’s a hard lock life: a field study of smartphone (un) locking behavior and risk perception. In: Symposium on usable privacy and security (SOUPS), pp. 213–230 (2014)
35.
Zurück zum Zitat Padgette, J.: Guide to Bluetooth Security. NIST Special Publication 800-121 (2017) Padgette, J.: Guide to Bluetooth Security. NIST Special Publication 800-121 (2017)
36.
Zurück zum Zitat Shaked, Y., Wool, A.: Cracking the Bluetooth Pin. In: Proceedings of the 3rd International Conference on Mobile Systems, Applications, and Services, pp. 39–50. ACM (2005) Shaked, Y., Wool, A.: Cracking the Bluetooth Pin. In: Proceedings of the 3rd International Conference on Mobile Systems, Applications, and Services, pp. 39–50. ACM (2005)
37.
Zurück zum Zitat Dunning, J.: Taming the blue beast: a survey of Bluetooth based threats. IEEE Secur. Priv. 8(2), 20–27 (2010) CrossRef Dunning, J.: Taming the blue beast: a survey of Bluetooth based threats. IEEE Secur. Priv. 8(2), 20–27 (2010) CrossRef
39.
Zurück zum Zitat Muaaz, M., Mayrhofer, R.: Smartphone-based gait recognition: from authentication to imitation. IEEE Trans. Mob. Comput. 16(11), 3209–3221 (2017) CrossRef Muaaz, M., Mayrhofer, R.: Smartphone-based gait recognition: from authentication to imitation. IEEE Trans. Mob. Comput. 16(11), 3209–3221 (2017) CrossRef
40.
Zurück zum Zitat Traore, I., Woungang, I., Obaidat, M.S., Nakkabi, Y., Lai, I.: Online risk-based authentication using behavioral biometrics. Multimed. Tools Appl. 71(2), 575–605 (2014) CrossRef Traore, I., Woungang, I., Obaidat, M.S., Nakkabi, Y., Lai, I.: Online risk-based authentication using behavioral biometrics. Multimed. Tools Appl. 71(2), 575–605 (2014) CrossRef
43.
Zurück zum Zitat Shiroma, T., Nishio, Y., Inoue, H.: A threat to mobile devices from spoofing public USB charging stations. In: Proceeding of International Conference on Consumer Electronics (ICCE), pp. 88–89. IEEE (2017) Shiroma, T., Nishio, Y., Inoue, H.: A threat to mobile devices from spoofing public USB charging stations. In: Proceeding of International Conference on Consumer Electronics (ICCE), pp. 88–89. IEEE (2017)
45.
Zurück zum Zitat Hwang, S., Lee, S., Kim, Y., Ryu, S.: Bittersweet ADB: attacks and defenses. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, pp. 579–584. ACM (2015) Hwang, S., Lee, S., Kim, Y., Ryu, S.: Bittersweet ADB: attacks and defenses. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, pp. 579–584. ACM (2015)
46.
Zurück zum Zitat Demetriou, S., Zhou, X.-Y., Naveed, M., Lee, Y., Yuan, K., Wang, X., Gunter, C.A.: What’s in your dongle and bank account? Mandatory and discretionary protection of android external resources. In: NDSS (2015) Demetriou, S., Zhou, X.-Y., Naveed, M., Lee, Y., Yuan, K., Wang, X., Gunter, C.A.: What’s in your dongle and bank account? Mandatory and discretionary protection of android external resources. In: NDSS (2015)
47.
Zurück zum Zitat Kywe, S.M., Li, Y., Petal, K., Grace, M.: Attacking android smartphone systems without permissions. In: 2016 14th Annual Conference on Privacy, Security and Trust (PST), pp. 147–156. IEEE (2016) Kywe, S.M., Li, Y., Petal, K., Grace, M.: Attacking android smartphone systems without permissions. In: 2016 14th Annual Conference on Privacy, Security and Trust (PST), pp. 147–156. IEEE (2016)
48.
Zurück zum Zitat Spaulding, J., Krauss, A., Srinivasan, A.: Exploring an open WiFi detection vulnerability as a malware attack vector on IOS devices. In: Proceeding of 7th International Conference on Malicious and Unwanted Software (MALWARE), pp. 87–93. IEEE (2012) Spaulding, J., Krauss, A., Srinivasan, A.: Exploring an open WiFi detection vulnerability as a malware attack vector on IOS devices. In: Proceeding of 7th International Conference on Malicious and Unwanted Software (MALWARE), pp. 87–93. IEEE (2012)
49.
Zurück zum Zitat Wasil, D., Nakhila, O., Bacanli, S.S., Zou, C., Turgut, D.: Exposing vulnerabilities in mobile networks: a mobile data consumption attack. In: Proceeding of 14th International Conference on Mobile Ad Hoc and Sensor Systems (MASS), pp. 550–554. IEEE (2017) Wasil, D., Nakhila, O., Bacanli, S.S., Zou, C., Turgut, D.: Exposing vulnerabilities in mobile networks: a mobile data consumption attack. In: Proceeding of 14th International Conference on Mobile Ad Hoc and Sensor Systems (MASS), pp. 550–554. IEEE (2017)
51.
Zurück zum Zitat Sun, D.-Z., Mu, Y., Susilo, W.: Man-in-the-middle attacks on secure simple pairing in Bluetooth standard v5. 0 and its countermeasure. Pers. Ubiquit. Comput. 22(1), 55–67 (2018) CrossRef Sun, D.-Z., Mu, Y., Susilo, W.: Man-in-the-middle attacks on secure simple pairing in Bluetooth standard v5. 0 and its countermeasure. Pers. Ubiquit. Comput. 22(1), 55–67 (2018) CrossRef
Metadaten
Titel
A Risk-Driven Model to Minimize the Effects of Human Factors on Smart Devices
verfasst von
Sandeep Gupta
Attaullah Buriro
Bruno Crispo
Copyright-Jahr
2020
DOI
https://doi.org/10.1007/978-3-030-39749-4_10

Premium Partner