Information Systems Security

Publishing of data is usually only permitted when complying with a confidentiality policy. To this end, this work proposes an approach to weaken an original database instance: within a logic-oriented modeling definite knowledge is replaced by disjunctive knowledge to introduce uncertainty about confidential information. This provably disables an adversary to infer this confidential information, even if he employs his a priori knowledge and his knowledge about the protection mechanism. As evaluated based on a prototype implementation, this approach can be made highly efficient. If a heuristic – resulting only in a slight loss of availability – is employed, it can be even used in interactive scenarios.

Cryptographic protocols often require principals to send certifications asserting partial knowledge of terms (for instance, that an encrypted secret is 0 or 1). Such certificates are themselves modelled by cryptographic primitives or sequences of communications. For logical analysis of such protocols based on the Dolev-Yao model [12], we suggest that it is useful to separate terms and assertions about them in communications. We propose a perfect assertion assumption by which the underlying model ensures the correctness of the assertion when it is generated. The recipient may then rely on the certificate but may only forward it as second-hand information. We use a simple propositional modal assertion language involving disjunction (for partial knowledge) and formulas of the form A says α (for delegation). We study the complexity of the term derivability problem and safety checking in the presence of an active intruder (for bounded protocols). We show that assertions add complexity to verification, but when they involve only boundedly many disjunctions, the complexity is the same as that of the standard Dolev-Yao model.

Opaque communications between groups of data processors leave individuals out of touch with the circulation and use of their personal information. Empowering individuals in this regard requires supplying them — or auditors on their behalf — with clear data handling guarantees. We introduce an inference model providing individuals with global (organization-wide) accountability guarantees which take into account user expectations and varying levels of usage evidence, such as data handling logs. Our model is implemented in the IDP knowledge base system and demonstrated with the scenario of a surveillance infrastructure used by a railroad company. We show that it is flexible enough to be adapted to any use case involving communicating stakeholders for which a trust hierarchy is defined. Via auditors acting for them, individuals can obtain global accountability guarantees, providing them with a trust-dependent synthesis of declared and proven data handling practices for an entire organization.

Sessions on the web are fragile. They have been attacked successfully in many ways, by network-level attacks, by direct attacks on session cookies (the main mechanism for implementing the session concept) and by application-level attacks where the integrity of sessions is violated by means of cross-site request forgery or malicious script inclusion. This paper defines a variant of non-interference – the classical security notion from information flow security – that can be used to formally define the notion of client-side application-level web session integrity. The paper also develops and proves correct an enforcement mechanism. Combined with state-of-the-art countermeasures for network-level and cookie-level attacks, this enforcement mechanism gives very strong assurance about the client-side preservation of session integrity for authenticated sessions.

Separation of Duty (SoD) constraints are widely used to specify Role Based Access Control (RBAC) policies in commercial applications. It has been shown previously that efficient implementation of SoD policies in RBAC can be done using t-t Statically Mutually Exclusive Roles (SMER) constraints. In this paper, we present a method for finding the minimum number of users required under multiple t-t SMER constraints. The problem is shown to be NP-complete. We model the general problem using graphs, and present a two-step method for solving it. In the first step, a greedy algorithm is proposed that selects a graph which is likely to have the minimum chromatic number out of a set of graphs. The second step uses a known chromatic number finding algorithm for determining the chromatic number of the graph selected in the first step. Results for different values of the number of roles and the number of constraints as well as for different values of t have been reported.

Temporal Role Based Access Control (TRBAC) is an extension of the role based access control (RBAC) model in the temporal domain. It is used by organizations needing to enforce temporal constraints on enabling and disabling of roles. For any chosen access control model, decentralization of administrative authority necessitates the use of a separate administrative model. Even with the use of an administrative model, decentralization often leads to an increased concern for security. Analysis of security properties of RBAC has been extensively done using its administrative model (ARBAC97). However, TRBAC security analysis in the presence of an administrative model so far has received limited attention. This paper proposes a method for performing formal security analysis of TRBAC considering a recently proposed administrative model named AMTRAC, which includes all the relations of ARBAC97 as well as an additional set of relations (named REBA) for administering the role enabling base of a TRBAC system. All the components of TRBAC and AMTRAC are specified in Prolog along with the desired safety and liveness properties. Initially, these properties are verified considering the non-temporal relations only, followed by handling of the temporal relations as well. Experimental results show that the method is both effective as well as scalable.

Enterprises usually execute business processes with the help of Information Technology (IT) services which, in turn, are realized by IT assets. Enterprise IT assets contain vulnerabilities that can be exploited by threats to cause harm to business processes and breach security of information assets. Hence, detection of threats is crucial for ensuring business continuity and protection of enterprise information security. Existing threat detection mechanisms are limited in scope owing to absence of methodologies for modeling different categories of threats uniformly. This paper presents a formal methodology that can model diverse types of threats to enterprise assets. The methodology provides sufficient flexibility to enterprises for defining threshold values of threat parameters that suit their specific needs and help them to compute probability of occurrence of threats.

Ciphertext policy attribute based encryption (CP-ABE) is a technique in which a user with secret key containing attributes is only able to decrypt the message if the attributes in the policy match with the attributes in secret key. Therefore, CP-ABE is suitable for some interesting applications such as cloud computing which requires both security assurances and access control over encrypted data simultaneously. However, we observed that all existing CP-ABE schemes entail a limitation that, if an authorized user wants to search for an encrypted file having particular keywords, then he has to first download and then decrypt the file before searching for particular keywords. When applied to an application involving a cloud, because the number of files on the cloud is likely to be huge, all these process results in large overhead for user.

Bitcoin is a peer-to-peer electronic cash system that uses a decentralized architecture. It has enjoyed superiority compared to other cyptocurrencies but it has also attracted attackers to take advantage of the possible operational insecurity. All the Bitcoin miners independently try to find the winning block by finding a hash lower than a particular target. On 14 ^th June 2014, a particular mining pool was able to take control of 51% of Bitcoins processing power, thus extracting the maximum amount of profit for their work. In this paper, we introduce a new defense against this 51% attack. We modify the present block header by introducing some extra bytes and utilize the Timestamp more effectively in the hash generation and suggest an alternative to the existing Proof-of-Work scheme. The proposed approach does not rely on finding a hash value lower than the target, rather it awards the miner involved in generating the minimum hash value across the entire distributed network. Fraudulent activities easily get caught due to effective use of the Timestamp. The new scheme thus introduces fair competition among the miners. Moreover, it facilitates the generation of Bitcoins at a fixed rate. Finally, we calculate and show how the new scheme can lead to an energy-efficient Bitcoin.

Text passwords are ubiquitous in authentication. Despite this ubiquity, they have been the target of much criticism. One alternative to the pure recall text passwords are graphical authentication schemes. The different proposed schemes harness the vast visual memory of the human brain and exploit cued-recall as well as recognition in addition to pure recall. While graphical authentication in general is promising, basic research is required to better understand which schemes are most appropriate for which scenario (incl. security model and frequency of usage). This paper presents a comparative study in which all schemes are configured to the same effective password space (as used by large Internet companies). The experiment includes both, cued-recall-based and recognition-based schemes. The results demonstrate that recognition-based schemes have the upper hand in terms of effectiveness and cued-recall-based schemes in terms of efficiency. Thus, depending on the scenario one or the other approach is more appropriate. Both types of schemes have lower reset rates than text passwords which might be of interest in scenarios with limited support capacities.

Third Generation Partnership Project (3GPP) has standardized the Evolved Packet System (EPS) as a part of their Long Term Evolution System Architecture Evolution (LTE/SAE) initiative. In order to provide ubiquitous services to the subscribers and to facilitate interoperability, EPS supports multiple access technologies where both 3GPP and Non-3GPP defined access networks are allowed to connect to a common All-IP core network called the Evolved Packet Core (EPC). However, a factor that continues to limit this endeavor is the trust requirement with respect to the subscriber’s identity privacy. There are occasions during Non-3GPP access to the EPS when intermediary network elements like the access networks that may even belong to third party operators have to be confided with the subscriber’s permanent identity. In this paper, we propose a security extension that relaxes this requirement. Contrary to several other solutions proposed recently in this area, our solution can be adopted as an extension to the existing security mechanism. Moreover, it has to be implemented only at the operators level without imposing any change in the intermediary network elements. We also show that the extension meets its security goals through a formal analysis carried out using AUTLOG.

Browser Extensions (BE) enhance the core functionality of the Browser and provide customization to it. Browser extensions enjoy high privileges, sometimes with the same privileges as Browser itself. As a consequence, a vulnerable or malicious extension might expose Browser and system resources to attacks. This may put Browser resources at risk of unwanted operations, privilege escalation etc. BE can snoop on web applications, launch arbitrary processes, and even access files from host file system. In addition to that, an extension can even collude with other installed extensions to share objects and change preferences. Although well-intentioned, extension developers are often not security experts. Hence, they might end up writing vulnerable code. In this paper we present a new attacks via Browser extensions. In particular, the attack allows two malicious extensions to communicate and collaborate with each other in such a way to achieve a malicious goal. We identify the vulnerable points in extension development framework as: (a) object reference sharing, and (b) preference overriding. We illustrate the effectiveness of the proposed attack using various attack scenarios. Furthermore, we provide a proof-of-concept illustration for web domains including Banking & shopping. We believe that the scenarios we use in use-case demonstration underlines the severity of the presented attack. Finally, we also contribute an initial framework to address the presented attack.

In this paper, we propose a new declarative browser security policy — “Cross Origin Request Policy” (CORP) — to mitigate such attacks. CORP enables a server to have fine-grained control on the way different sites can access resources on the server. The server declares the policy using HTTP response headers. The web browser monitors cross origin HTTP requests targeting the server and blocks those which do not comply with CORP. Based on lessons drawn from examining various types of cross origin attacks, we formulate CORP and demonstrate its effectiveness and ease of deployment. We formally verify the design of CORP by modelling it in the Alloy model checker. We also implement CORP as a browser extension for the Chrome web browser and evaluate it against real-world cross origin attacks on open source web applications. Our initial investigation reveals that most of the popular websites already segregate their resources in a way which makes deployment of CORP easier.

In a conventional password based authentication system, an adversary can obtain login credentials by performing shoulder surfing. When such attacks are performed by human users with limited cognitive skills and without any recording device then it is referred as weak shoulder surfing attack. Existing methodologies that avoid such weak shoulder surfing attack, comprise of many rounds which may be the cause of fatigue to the general users. In this paper we have proposed a methodology known as Multi Color (MC) method which reduces the number of rounds in a session to half of previously proposed methodologies. Then using the predictive human performance modeling tool we have shown that proposed MC method is immune against weak shoulder surfing attack and also it improves the existing security level.

The social engineering strategy, used by cyber criminals, to get confidential information from Internet users is called phishing. It continues to trick Internet users into losing time and money each year, besides the loss of productivity. The trends and patterns in such attacks keep on changing over time and hence the detection algorithm needs to be robust and adaptive. Although, many phishing attacks work by luring Internet users to a web site designed to trick them into revealing sensitive information, recently some phishing attacks have been found that work by either installing malware on a computer or by hijacking a good web site. In this paper, we present effective and comprehensive classifiers for both kinds of attacks, classical or hijack-based. To the best of our knowledge, our work is the first to consider hijack-based phishing attacks. Our techniques are also effective at zero-hour phishing web site detection. We focus on the fundamental characteristics of phishing web sites and decompose the classification task for a phishing web site into a URL classifier, a content-based classifier and ways of combining the two. Both the URL classifier and the content-based classifier introduce new features and techniques. We present results of these classifiers and combination schemes on datasets extracted from several sources. We show that: (i) our URL classifier is highly accurate, (ii) our content-based classifier achieves good performance considering the difficulty of the problem and the small size of our white list, and (iii) one of our combination methods achieves superior detection of phishing web sites (over 99.97%) with reasonable false positives of about 3.5 % and another achieves just 0.22% false positives with more than 83% true positive rate. Moreover, our content-based classifier does not need any periodic retraining. Our methods are also language independent.

The meteoric growth of the Android mobile platform has made it a main target of cyber-criminals. Mobile malware specifically targeting Android has surged and grown in tandem with the rising popularity of the platform [3, 5, 4, 6]. In response, the honus is on defenders to increase the difficulty of malware development to curb its rampant growth, and to devise effective detection mechanisms specifically targeting Android malware in order to better protect the end-users.

In this paper, we address the following question: do malicious applications on Android request predictably different permissions than legitimate applications? Based on analysis of 2950 samples of benign and malicious Android applications, we propose a novel Android malware detection technique called Permission-based Malware Detection Systems (PMDS). In PMDS, we view requested permissions as behavioral markers and build a machine learning classifier on those markers to automatically identify for unseen applications potentially harmful behavior based on the combination of permissions they require. By design, PMDS has the potential to detect previously unknown, and zero-day or next-generation malware. If attackers adapt and request for fewer permissions, PMDS will have impeded the simple strategies by which malware developers currently abuse their victims.

Experimental results show that PMDS detects more than 92–94% of previously unseen malware with a false positives rate of 1.52–3.93%.

Cross-Site Scripting (XSS) vulnerability is one of the most critical breaches that may compromise the security of Web applications. Reflected XSS is usually easy to detect as the attack vector is immediately executed, and classical Web application scanners are commonly efficient to detect it. However, they are less efficient to discover multi-step XSS, which requires behavioral knowledge to be detected. In this paper, we propose a Pattern-driven and Model-based Vulnerability Testing approach (PMVT) to improve the capability of multi-step XSS detection. This approach relies on generic vulnerability test patterns, which are applied on a behavioral model of the application under test, in order to generate vulnerability test cases. A toolchain, adapted from an existing Model-Based Testing tool, has been developed to implement this approach. This prototype has been experimented and validated on real-life Web applications, showing a strong improvement of detection ability w.r.t. Web application scanners for this kind of vulnerabilities.

CliSeAu is a novel tool for hardening distributed Java programs. CliSeAu takes as input a specification of the desired properties and a Java bytecode target program, i.e. the format in which Java programs are usually provided. CliSeAu returns hardened Java bytecode that provides the same functionality as the original code, unless this code endangers the desired properties. By monitoring the components of a distributed system in a decentralized and coordinated fashion, our tool CliSeAu is able to enforce a wide range of properties, both effectively and efficiently. In this article, we present the architecture of CliSeAu, explain how the components of a distributed target program are instrumented by CliSeAu, and illustrate at an example application how CliSeAu can be used for securing distributed programs.

Shellcode can be viewed as machine language code that is injected in the form of string input to exploit buffer overflows. It usually contains non-ASCII values because not all machine instructions encode into ASCII values. Many applications allow arbitrary string input, even though only strings containing characters that are ASCII or a subset of ASCII are deemed valid. Thus a common defense against shellcode injection is to discard any string input containing non-ASCII characters. Alphanumeric shellcode helps attackers bypass such character restrictions. It is non-trivial to construct alphanumeric shellcodes by hand and so tools have been created to automate the process. The alphanumeric equivalent, generated by the existing tools, is much larger than the original shellcode. This paper presents two new encoding schemes to reduce the size of the alphanumeric equivalent. A smaller shellcode is better as it can fit into smaller buffers and is even more useful in case an application restricts the input size. Results show that the size reduction of the encoded shellcode is more than 20% for many shellcodes.

The paper itself forms an important security feature for many security paper documents. This work attempts to develop a machine assisted tool for authenticating the paper of a security document. Image processing and pattern recognition principles form the basis of this automatic method. Paper pulps play a crucial role in characterizing a paper material. These pulps are visible in the UV scanned image of the document. Therefore, the pulps are first identified in the UV scanned image. This identification is done by borrowing ideas from rice grain detection method. Once the pulps are detected, shape and color features are extracted from them. Paper pulps coming from fake documents are significantly different from those of genuine documents in their shapes and colors. Using the shape and color features, a multilayer back propagation neural network is used to discriminate paper pulps as genuine or fake. The proposed method is tested with Indian banknote samples. Experiment shows that consideration of paper pulps is one of the crucial tests for authenticating paper money.

In this paper, a highly secure and an accurate personal authentication based on palm-dorsa vein patterns is proposed. Hand-dorsa images are acquired in infrared light by using a low cost camera. Acquisition takes place under unconstrained environment in a contact-less manner. Hand-dorsa images are preprocessed to extract the palm-dorsa which is used for vein pattern extraction by using multi-scale matched filtering. Image registration based matching is performed to verify the user identity. Performance of the proposed system is evaluated on a database containing 840 images from 140 different classes. Experimental results indicates that the proposed system performs better that other existing systems.

In today’s cyber world images and videos are the major sources of information exchange. The authenticity of digital images and videos is extremely crucial in the legal industry, media world and broadcast industry. However, with huge proliferation of low-cost, easy–to–use image manipulating software the fidelity of digital images is at stake. In this paper we propose a technique to detect digital forgery in JPEG images, based on ”double–compression”. We deal with JPEG images because JPEG is the standard storage format used in almost all present day digital cameras and other image acquisition devices. JPEG compresses an image to optimize the storage space requirement. When an attacker or criminal alters some part of a JPEG image by any image–editing tool and rewrites it to memory, the forged or modified part gets doubly–compressed. In this paper, we exploit this double–compression in JPEG images to identify digital forgery.

With the prevalence of ubiquitous computing and the increase in the number of mobile phone and smartphone users, multiple features and applications are being introduced to facilitate users’ daily life. However, users are unaware of the potential danger when the data is collected in return by the service providers. Users and the data associated with them are vulnerable to privacy attacks and threats. The concerning issue has been of interest to many researchers and several techniques have been proposed to counteract such threat and vulnerability issues. This paper proposes a new technique using Sudoku structures and shows how it can ensure users’ privacy and degrade the confidence level at the adversary’s end for tracking the user. In the proposed scheme, the service providers can be customized for varying needs of the user and in accordance with the types of queries. As a simple yet effective technique, it can create reasonable obfuscation for the adversary while guaranteeing accuracy of service for the users.

Wi-Fi localization has become an essential service for many aspects of life, especially for indoor-environment where GPS-based technology cannot operate. SIL, a new family of Wi-Fi localization algorithms, has been introduced recently. SIL stands out from the rest of the localization techniques thanks to its training-free property. Capable of performing localization without pre-trained data, SIL resolves the costly training-phase commonly presenting in most other Wi-Fi localization algorithms. SIL can either operate independently or use crowd-sourcing to query and share preprocessed location information. The latter saves the bandwidth cost but poses a security threat of user’s location leakage. In this paper, we propose LOF, a framework to secure location anonymity while preserving acceptable-bandwidth-cost for training-free localization algorithms such as SIL.