Papers Submitted for the Best Paper Award

Papers Submitted:

ID Title Bibliographic Details Impact Statement View Paper Change Paper Details
1 DRE-ip: A Verifiable E-Voting Scheme without Tallying Authorities Siamak F. Shahandashti and Feng Hao. In I. Askoxylakis et al. (eds.): ESORICS 2016, LNCS 9879, pp. 223-240, Springer, 2016. We propose a polling station electronic voting system that does not require tallying authorities. The system is proven secure even if the voting machine is compromised. This is in contrast with previous systems which require secure storage on voting machines. The system also provides mechanisms for individual verification of that ballots are cast as intended, and for public verification of that cast ballots are tallied correctly. Requiring neither tallying authorities nor secure ballot storage substantially simplifies the setup and deployment of such electronic voting systems. We are currently working on a test deployment of this system on off-the-shelf devices. View Paper Change Paper Details
2 Architecting Holistic Fault Tolerance Rem Gensh, Ashur Rafiev, Alexander Romanovsky, Alessandro Garcia, Fei Xia, Alex Yakovlev, HASE 2017, accepted on October 26, 2016 This study is about design and implementation of Holistic Fault Tolerance (HFT) architecture. We describe main elements of the HFT architecture, which includes the HFT controller and HFT agents. The HFT controller is a crosscutting unit that controls fault tolerance, performance and resource utilisation of the entire system. The HFT agents are special objects that monitor and if necessary intervene in the control flow of critical functions of the system components. At the moment we are working on the evaluation of the HFT approach to ensure that it is efficient and provides better maintainability of fault tolerance functionality. View Paper Change Paper Details
3 Influence Tokens: Analysing Adversarial Behaviour Change in Coloured Petri Nets Peter Carmichael, Charles Morisset and Thomas Groß; STAST 2016; Accepted on November 4th 2016; Social Engineers can use influential techniques to exploit human behaviour. For a security officer, simulating and analysing such attacks would provide useful insights towards possible countermeasures. We propose the notion of influence tokens, which a social engineer can exploit to change human behaviour. We model the relationship between agents and a social engineer using Coloured Petri Nets, which govern the behaviour of influence tokens. We then illustrate our results showing how influence tokens propagate, impact and alters a Social Engineers success rate in a tailgating scenario. In particular, we show that a specific combination of tokens will increase the adversaries success rate, whereas, investing in a different set of tokens yields no further rewards for the adversary View Paper Change Paper Details
4 PiSHi: Click the Images and I Tell if You Are a Human M. Mehrnezhad, A. Bafghi, A. Harati, E. Toreini, International Journal of Information Security, Springer Journal, Feb 2016, P 1-17. This paper introduces pictorial intelligent system for human identification (PiSHi), an image-based captcha which uses three human cognitive abilities to distinguish humans from machines. The first is the human ability to easily recognise the image’s upright orientation. The second is the human brain’s ability in recognising a picture’s content when it is only partially visible. And the third is the human ability in unconscious decision making when encountering pictorial challenges. This work models such complicated human patterns in problem solving for the first time. In order to extract these behavioural patterns and save them in a pattern database, we have implemented our own captcha and performed a series of experiments. PiSHi’s interface presents the user with a set of distorted pictures and asks her to click on the upright orientation of all the pictures in any preferred order. Next, it captures the user’s interaction patterns, compares them with the ones saved in the pattern database, and grants her a corresponding credit. Based on this credit, the user either passes or fails the test, and participates in updating the picture database. Our experiments indicate that human users can solve our proposed captcha effectively—with an accuracy of 99.44 %. Besides, our proposed system is secure against several types of attacks including random guessing and reverse image search engines. The results offer the possibility of utilising the identified human behavioural models in practical captchas. View Paper Change Paper Details
5 Does The Online Card Payment Landscape Unwittingly Facilitate Fraud? Ali, M. A., Arief, L., Emms, M., and Van Moorsel, A. In IEEE Security & Privacy, 2017 We present an attack scenario involving payment systems such as iTunes, Google Wallet, and PayPal that allows attackers to subvert the payment functionality from its intended purpose of validating entered credit or debit card details, into helping the attackers to generate all of the security data fields required to create an online payment account. Even worse, these data will allow attackers to transfer money to an anonymous recipient, on top of an ability to fraudulently purchase items online. Our experimental work has shown that it is possible to implement a web bot which will generate all of the fields required to create an online account, starting with only the 16-digit card number (which can be obtained through many means including contactless payment cards skimming, or buying it from dubious online sites). We have proved that it is possible to circumvent all of the security features (including separation of printed and electronic data and rule for storage of data by the merchants) put in place to protect the cardholders. We have also demonstrated that it is possible to refine the web bot so that it will generate data from multiple websites, circumventing the limit of the number of attempts one can make to enter the correct value, which is imposed by some payment systems. Therefore, we believe that a potential solution to fix this problem should be at the payment gateway level, not at the individual website level. As a result of our ethical disclosure process, a number of the top 10 Alexa rated online merchants have changed their online security settings. This shows that the research is relevant and impactful. View Paper Change Paper Details
6 Decentralized Privacy-Aware Collaborative Filtering of Smart Spammers in a Telecommunication Network Muhammad Ajmal Azad, Samiran Bag Accepted in 32 ACM SAC (Computer Security)) Smart spammers and telemarketers circumvent the standalone spam detection systems by making low rate spamming activity to a large number of recipients distributed across many telecommunication operators. The collaboration among multiple telecommunication operators (OPs) will allow operators to get rid of unwanted callers at the early stage of their spamming activity. The challenge in the design of collaborative spam detection system is that OPs are not willing to share certain information about behaviour of their users/customers because of privacy concerns. Ideally, operators agree to share certain aggregated statistical information if collaboration process ensures complete privacy protection of users and their network data. To address this challenge and convince OPs for the collaboration, this paper proposes a decentralized reputation aggregation protocol that enables OPs to take part in a collaboration process without use of a trusted third party centralized system and without developing a predefined trust relationship with other OPs. To this extent, the collaboration among operators is achieved through the exchange of cryptographic reputation scores among OPs thus fully protects relationship network and reputation scores of users even in the presence of colluders. We evaluate the performance of proposed protocol over the simulated data consisting of five collaborators. Experimental results revealed that proposed approach outperforms standalone systems in terms of true positive rate and false positive rate. View Paper Change Paper Details
7 A Survey of Security Analysis in Federated Identity Management Sean Simpson, Thomas Gross - IFIP Summer School 2016 Federated Identity Management (FIM) is becoming more and more ubiquitous in the web ecosystem. The academic community has found numerous vulnerabilities in FIM protocols (e.g. OAuth, OpenID, SAML, Facebook Connect) and show how those vulnerabilities can be exploited by an attack which eventually leads to a security failure. We collect information on the analysis of FIM protocols. In particular, we categorise the security incidents that occur in FIM systems using a categorisation system founded on Dependability. We also identify specific patterns of security incidents that are happening across FIM protocols and collect countermeasures that have been introduced by others. This work overall helps security researchers understand the nature of security incidents in specific FIM protocols and across the FIM space. View Paper Change Paper Details
8 VirtusCap: Capability-based Access Control for Unikernels Ioannis Sfyrakis, Thomas Groß, IEEE International Conference on Cloud Engineering (IC2E 2017), accepted on November 15th 2016 A recent direction in cloud computing is toward massive consolidation of resources by using lightweight virtual machines (VMs) called unikernels. Unikernels are specialized VMs that eliminate the operating system layer and provide a small footprint, minimal attack surface, and near-instant boot times. However, managing the privileges of thousands of unikernels hosted in Xen hypervisor and authoring complex Mandatory Access Control (MAC) policies using Xen Security Module (XSM)-Flask or sHype is often difficult and error prone for cloud administrators. XSM-Flask and sHype access control mechanisms have not reached wide adoption since their configuration and policies are complex and contain hundreds of subjects and objects for a single VM. Thus, we require an access control mechanism that is flexible, simple, integrated with unikernels and is efficient in order to regulate access to a large number of unikernels. In this paper, we present VirtusCap: a novel multi-layer access control architecture and mechanism that integrates capabilities with unikernels. Our approach employs capabilities to limit privileges of unikernels. Hence, our approach embodies the Principle of Least Privilege (POLP) to create unikernels that have only the privileges they need to accomplish their task. Performance evaluations show that up to request rate of 7000 (req/sec) our prototype’s response time is identical to XSM-Flask. View Paper Change Paper Details
9 Evaluating Users' Affect States: Towards a Study on Privacy Concerns Uchechi Nwadike, Thomas Gross, Kovila P.L. Coopamootoo - IFIP Summer School 2016 Most empirical research on privacy concerns rely on surveys as a means of data collection. These surveys have been described as subjective, as they depend on users’ ability to recollect and communicate their responses. In this study, we validate the tools for an upcoming experiment. We used a survey, PANAS-X and psycho-physiological tools, Facereader and Emotion recognition to accurately measure users' affect states. Our findings not only provide a valuable systematic comparison of the measurement tools, but also techniques for inducing and measuring affect states, beneficial for other researchers. We also provide re-usable building blocks that can be plugged into further research. In addition, to the best to our knowledge, this is the first study employing affect inducing and psycho-physiological tools in usable privacy research. View Paper Change Paper Details

Submit a paper