nach oben

Erschienen in:

2020 | OriginalPaper | Buchkapitel

A Risk-Driven Model to Minimize the Effects of Human Factors on Smart Devices

verfasst von : Sandeep Gupta, Attaullah Buriro, Bruno Crispo

Erschienen in: Emerging Technologies for Authorization and Authentication

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Human errors exploitation could entail unfavorable consequences to smart device users. Typically, smart devices provide multiple configurable features, e.g., user authentication settings, network selection, application installation, communication interfaces, etc., which users can configure according to their need and convenience. However, untrustworthy features configuration could mount severe risks towards the protection and integrity of data and assets residing on smart devices or to perform security-sensitive activities on smart devices. Conventional security mechanisms mainly focus on preventing and monitoring malware, but they do not perform the runtime vulnerabilities assessment while users use their smart devices. In this paper, we propose a risk-driven model that determines features reliability at runtime by monitoring users’ features usage patterns. The resource access permissions (e.g., ACCESS_INTERNET and ACCESS_NETWORK_STATE) given to an application requiring higher security are revoked in case users configure less reliable features (e.g., open WIFI or HOTSPOT) on their smart devices. Thus, our model dynamically fulfills the security criteria of the security-sensitive applications and revokes resources access permission given to them, until features reliability is set to a secure level. Consequently, smart devices are secured against any runtime vulnerabilities that may surface due to human factors.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel MuFASA: A Tool for High-level Specification and Analysis of Multi-factor Authentication Protocols

Nächstes Kapitel A Formal Security Analysis of the Authentication Protocol for Decentralized Key Distribution and End-to-End Encrypted Email

Nur mit Berechtigung zugänglich

Gupta, S., Buriro, A., Crispo, B.: Demystifying authentication concepts insmartphones: ways and types to secure access. Mob. Inf. Syst. 2018, 16 p. (2018)

He, D., Chan, S., Guizani, M.: Mobile application security: malware threats and defenses. IEEE Wirel. Commun. 22(1), 138–144 (2015)CrossRef

UcedaVelez, T., Morana, M.M.: Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis. Wiley, Hoboken (2015)CrossRef

Ward, M.: Ransomware ‘here to stay’, warns google study (2017). http://www.bbc.com/news/technology-40737060

Pieters, W.: Defining “the weakest link” comparative security in complex systems of systems. In: Proceeding of 5th International Conference on Cloud Computing Technology and Science (CloudCom), vol. 2, pp. 39–44. IEEE (2013)

Proctor, R.W., Van Zandt, T.: Human Factors in Simple and Complex Systems. CRC Press, Boca Raton (2018)

Li, P., Chen, G., Zhang, L., et al.: Research review and development trends of human reliability analysis techniques. At. Energy Sci. Technol. 45(3), 329–340 (2011)

Gu, T., Li, L., Lu, M., Li, J.: Research on the calculation method of information security risk assessment considering human reliability. In: 2014 International Conference on Reliability, Maintainability and Safety (ICRMS), pp. 457–462. IEEE (2014)

Stoneburner, G., Goguen, A., Feringa, A.: Risk Management Guide for Information Technology Systems. NIST Special Publication 800–30 (2002)

10.

Microsoft: Definition of a security vulnerability. https://msdn.microsoft.com/en-us/library/cc751383.aspx?f=255&MSPPError=-2147217396 (2018)

11.

ISO/IEC 25010:2011: Reliability (2018). https://www.iso.org/obp/ui/#iso:std:iso-iec:25010:ed-1:v1:en

12.

ISO: Human factors. https://www.iso.org/obp/ui/#iso:std:iso:9241:-210:ed-1:v1:en (2018)

13.

Metalidou, E., Marinagi, C., Trivellas, P., Eberhagen, N., Skourlas, C., Giannakopoulos, G.: The human factor of information security: unintentional damage perspective. Soc. Behav. Sci. 147, 424–428 (2014)CrossRef

14.

Vidalis, S., Jones, A.: Analyzing threat agents and their attributes. In: ECIW, pp. 369–380 (2005)

15.

Fixmo: Enabling your business through mobile risk management (2018). https://www.eiseverywhere.com/file_uploads/12d988fc44b269ec828834bbaef0c6b3_FixmoWhitepaper.pdf

16.

Lord, N.: A history of ransomware attacks: the biggest and worst ransomware attacks of all time (2017). https://digitalguardian.com/blog/history-ransomware-attacks-biggest-and-worst-ransomware-attacks-all-time

17.

Johar, A.: Now ransomware attacks android: doublelocker locks your smartphone by changing the pin (2017). https://economictimes.indiatimes.com/tech/internet/now-ransomware-attacks-android-doublelocker-locks-your-smartphone-by-changing-the-pin/articleshow/61247838.cms

18.

Goodin, D.: Ransomware scammers exploited safari bug to extort porn-viewing IOS users. https://arstechnica.com/information-technology/2017/03/ransomware-scammers-exploited-safari-bug-to-extort-porn-viewing-ios-users/ (2017)

19.

Iqbal, M.S., Zulkernine, M.: SAM: a secure anti-malware framework for the smartphone operating systems. In: Proceeding of Wireless Communications and Networking Conference (WCNC), pp. 1–6. IEEE (2016)

20.

Yang, T., Yang, Y., Qian, K., Lo, D.C.-T., Qian, Y., Tao, L.: Automated detection and analysis for android ransomware. In: Proceeding of 7th International Symposium on Cyberspace Safety and Security (CSS), pp. 1338–1343. IEEE (2015)

21.

Hong, S., Liu, C., Ren, B., Chen, J.: Poster: Sdguard: an android application implementing privacy protection and ransomware detection. In: Proceedings of the 15th Annual International Conference on Mobile Systems, Applications, and Services, pp. 149–149. ACM (2017)

22.

Joshi, J., Parekh, C.: Android smartphone vulnerabilities: a survey. In: Proceeding of International Conference on Advances in Computing, Communication, & Automation (ICACCA) (Spring), pp. 1–5. IEEE (2016)

23.

Yang, W., Hu, J., Fernandes, C., Sivaraman, V., Wu, Q.: Vulnerability analysis of iPhone 6. In: Proceeding of 14th Annual Conference on Privacy, Security and Trust (PST), pp. 457–463. IEEE (2016)

24.

Yee, K.-P.: User interaction design for secure systems. In: Deng, R., Bao, F., Zhou, J., Qing, S. (eds.) ICICS 2002. LNCS, vol. 2513, pp. 278–290. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36159-6_24CrossRef

25.

Apple: IOS requesting permission (2018). https://developer.apple.com/design/human-interface-guidelines/ios/app-architecture/requesting-permission/

26.

Google: Android permissions overview (2018). https://developer.android.com/guide/topics/permissions/overview

27.

Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., Dolev, S., Glezer, C.: Google android: a comprehensive security assessment. IEEE Secur. Priv. 8(2), 35–44 (2010)CrossRef

28.

Wang, Y., Zheng, J., Sun, C., Mukkamala, S.: Quantitative security risk assessment of android permissions and applications. In: Wang, L., Shafiq, B. (eds.) DBSec 2013. LNCS, vol. 7964, pp. 226–241. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39256-6_15CrossRef

29.

Lindorfer, M., Neugschwandtner, M., Platzer, C.: Marvin: efficient and comprehensive mobile app classification through static and dynamic analysis. In: 39th Annual Computer Software and Applications Conference (COMPSAC), vol. 2, pp. 422–433. IEEE (2015)

30.

Aytes, K.: Computer security and risky computing practices: a rational choice perspective. In: Information Security and Ethics: Concepts, Methodologies, Tools, and Applications, pp. 1994–2011. IGI Global (2008)

31.

Modarres, M., Kaminskiy, M.P., Krivtsov, V.: Reliability Engineering and Risk Analysis: A Practical Guide. CRC Press, Boca Raton (2016)CrossRef

32.

Winnick, M.: Putting a finger on our phone obsession - mobile touches: a study on humans and their tech (2016). https://blog.dscout.com/mobile-touches

33.

Harbach, M., Von Zezschwitz, E., Fichtner, A., De Luca, A., Smith, M.: It’s a hard lock life: a field study of smartphone (un) locking behavior and risk perception. In: Symposium on usable privacy and security (SOUPS), pp. 213–230 (2014)

34.

Summerson, C.: What is USB debugging, and is it safe to leave it enabled on android? (2016). https://www.howtogeek.com/258788/what-is-usb-debugging-and-is-it-safe-to-leave-it-enabled-on-android/

35.

Padgette, J.: Guide to Bluetooth Security. NIST Special Publication 800-121 (2017)

36.

Shaked, Y., Wool, A.: Cracking the Bluetooth Pin. In: Proceedings of the 3rd International Conference on Mobile Systems, Applications, and Services, pp. 39–50. ACM (2005)

37.

Dunning, J.: Taming the blue beast: a survey of Bluetooth based threats. IEEE Secur. Priv. 8(2), 20–27 (2010)CrossRef

38.

kaspersky: How to avoid public WiFi security risks (2018). https://usa.kaspersky.com/resource-center/preemptive-safety/public-wifi-risks

39.

Muaaz, M., Mayrhofer, R.: Smartphone-based gait recognition: from authentication to imitation. IEEE Trans. Mob. Comput. 16(11), 3209–3221 (2017)CrossRef

40.

Traore, I., Woungang, I., Obaidat, M.S., Nakkabi, Y., Lai, I.: Online risk-based authentication using behavioral biometrics. Multimed. Tools Appl. 71(2), 575–605 (2014)CrossRef

41.

Google: Background execution limits (2018). https://developer.android.com/about/versions/oreo/background

42.

Zhou, Y., Zhang, X., Jiang, X., Freeh, V.W.: Taming information-stealing smartphone applications (on android). In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.-R., Sasse, A., Beres, Y. (eds.) Trust 2011. LNCS, vol. 6740, pp. 93–107. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21599-5_7CrossRef

43.

Shiroma, T., Nishio, Y., Inoue, H.: A threat to mobile devices from spoofing public USB charging stations. In: Proceeding of International Conference on Consumer Electronics (ICCE), pp. 88–89. IEEE (2017)

44.

Google: Android debug bridge (adb) (2018). https://developer.android.com/studio/command-line/adb

45.

Hwang, S., Lee, S., Kim, Y., Ryu, S.: Bittersweet ADB: attacks and defenses. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, pp. 579–584. ACM (2015)

46.

Demetriou, S., Zhou, X.-Y., Naveed, M., Lee, Y., Yuan, K., Wang, X., Gunter, C.A.: What’s in your dongle and bank account? Mandatory and discretionary protection of android external resources. In: NDSS (2015)

47.

Kywe, S.M., Li, Y., Petal, K., Grace, M.: Attacking android smartphone systems without permissions. In: 2016 14th Annual Conference on Privacy, Security and Trust (PST), pp. 147–156. IEEE (2016)

48.

Spaulding, J., Krauss, A., Srinivasan, A.: Exploring an open WiFi detection vulnerability as a malware attack vector on IOS devices. In: Proceeding of 7th International Conference on Malicious and Unwanted Software (MALWARE), pp. 87–93. IEEE (2012)

49.

Wasil, D., Nakhila, O., Bacanli, S.S., Zou, C., Turgut, D.: Exposing vulnerabilities in mobile networks: a mobile data consumption attack. In: Proceeding of 14th International Conference on Mobile Ad Hoc and Sensor Systems (MASS), pp. 550–554. IEEE (2017)

50.

Sharma, K., Gupta, B.B.: Attack in smartphone Wi-Fi access channel: state of the art, current issues, and challenges. In: Lobiyal, D.K., Mansotra, V., Singh, U. (eds.) Next-Generation Networks. AISC, vol. 638, pp. 555–561. Springer, Singapore (2018). https://doi.org/10.1007/978-981-10-6005-2_56CrossRef

51.

Sun, D.-Z., Mu, Y., Susilo, W.: Man-in-the-middle attacks on secure simple pairing in Bluetooth standard v5. 0 and its countermeasure. Pers. Ubiquit. Comput. 22(1), 55–67 (2018)CrossRef

52.

Zeiter, K.: Hackers can control your phone using a tool that’s already built into it (2014). https://www.wired.com/2014/07/hackers-can-control-your-phone-using-a-tool-thats-already-built-into-it/

Titel: A Risk-Driven Model to Minimize the Effects of Human Factors on Smart Devices
verfasst von: Sandeep Gupta
Attaullah Buriro
Bruno Crispo
Verlag: Springer International Publishing
Buch: Emerging Technologies for Authorization and Authentication
Print ISBN: 978-3-030-39748-7

Electronic ISBN: 978-3-030-39749-4

Copyright-Jahr: 2020
DOI: https://doi.org/10.1007/978-3-030-39749-4_10

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"