Behaviour profiling for mobile devices

Li, Fudong

January 2012

With more than 5 billion users globally, mobile devices have become ubiquitous in our daily life. The modern mobile handheld device is capable of providing many multimedia services through a wide range of applications over multiple networks as well as on the handheld device itself. These services are predominantly driven by data, which is increasingly associated with sensitive information. Such a trend raises the security requirement for reliable and robust verification techniques of users.This thesis explores the end-user verification requirements of mobile devices and proposes a novel Behaviour Profiling security framework for mobile devices. The research starts with a critical review of existing mobile technologies, security threats and mechanisms, and highlights a broad range of weaknesses. Therefore, attention is given to biometric verification techniques which have the ability to offer better security. Despite a large number of biometric works carried out in the area of transparent authentication systems (TAS) and Intrusion Detection Systems (IDS), each have a set of weaknesses that fail to provide a comprehensive solution. They are either reliant upon a specific behaviour to enable the system to function or only capable of providing security for network based services. To this end, the behaviour profiling technique is identified as a potential candidate to provide high level security from both authentication and IDS aspects, operating in a continuous and transparent manner within the mobile host environment.This research examines the feasibility of a behaviour profiling technique through mobile users general applications usage, telephone, text message and multi-instance application usage with the best experimental results Equal Error Rates (EER) of 13.5%, 5.4%, 2.2% and 10% respectively. Based upon this information, a novel architecture of Behaviour Profiling on mobile devices is proposed. The framework is able to provide a robust, continuous and non-intrusive verification mechanism in standalone, TAS or IDS modes, regardless of device hardware configuration. The framework is able to utilise user behaviour to continuously evaluate the system security status of the device. With a high system security level, users are granted with instant access to sensitive services and data, while with lower system security levels, users are required to reassure their identity before accessing sensitive services.The core functions of the novel framework are validated through the implementation of a simulation system. A series of security scenarios are designed to demonstrate the effectiveness of the novel framework to verify legitimate and imposter activities. By employing the smoothing function of three applications, verification time of 3 minutes and a time period of 60 minutes of the degradation function, the Behaviour Profiling framework achieved the best performance with False Rejection Rate (FRR) rates of 7.57%, 77% and 11.24% for the normal, protected and overall applications respectively and with False Acceptance Rate (FAR) rates of 3.42%, 15.29% and 4.09% for their counterparts.

004

Managing near field communication (NFC) payment applications through cloud computing

Pourghomi, Pardis

January 2014

The Near Field Communication (NFC) technology is a short-range radio communication channel which enables users to exchange data between devices. NFC provides a contactless technology for data transmission between smart phones, Personal Computers (PCs), Personal Digital Assistants (PDAs) and such devices. It enables the mobile phone to act as identification and a credit card for customers. However, the NFC chip can act as a reader as well as a card, and also be used to design symmetric protocols. Having several parties involved in NFC ecosystem and not having a common standard affects the security of this technology where all the parties are claiming to have access to client’s information (e.g. bank account details). The dynamic relationships of the parties in an NFC transaction process make them partners in a way that sometimes they share their access permissions on the applications that are running in the service environment. These parties can only access their part of involvement as they are not fully aware of each other’s rights and access permissions. The lack of knowledge between involved parties makes the management and ownership of the NFC ecosystem very puzzling. To solve this issue, a security module that is called Secure Element (SE) is designed to be the base of the security for NFC. However, there are still some security issues with SE personalization, management, ownership and architecture that can be exploitable by attackers and delay the adaption of NFC payment technology. Reorganizing and describing what is required for the success of this technology have motivated us to extend the current NFC ecosystem models to accelerate the development of this business area. One of the technologies that can be used to ensure secure NFC transactions is cloud computing which offers wide range advantages compared to the use of SE as a single entity in an NFC enabled mobile phone. We believe cloud computing can solve many issues in regards to NFC application management. Therefore, in the first contribution of part of this thesis we propose a new payment model called “NFC Cloud Wallet". This model demonstrates a reliable structure of an NFC ecosystem which satisfies the requirements of an NFC payment during the development process in a systematic, manageable, and effective way.

004.1675

Rigor and Transparency i.e., How to prevent the zombie paper Apocalypse

Bandrowski, Anita

27 October 2016

Presentation given on October 27, 2016 at Data Reproducibility: Integrity and Transparency program as part of Open Access Week 2016. / The NIH is now requiring the authentication of Key Biological Resources to be specified in a scored portion of most grant applications, but what does it mean to authenticate? We will discuss what Key Biological Resources are, the ongoing efforts to understand how to authenticate them and of course the resources available, including examples. The journal response to authentication will also be pointed to and practical steps that every researcher can take today to improve reporting of research in scientific publication.

National Institute of Health

Authentication

key biological resources

data reproducibility

Assessment of Web-Based Authentication Methods in the U.S.: Comparing E-Learning Systems to Internet Healthcare Information Systems

Mattord, Herbert J.

01 January 2012

Organizations continue to rely on password-based authentication methods to control access to many Web-based systems. This research study developed a benchmarking instrument intended to assess authentication methods used in Web-based information systems (IS). It developed an Authentication Method System Index (AMSI) to analyze collected data from representative samples of e-learning systems in the U.S. and from healthcare ISs, also in the U.S. This data were used to compare authentication methods used by those systems. The AMSI measured 1) password strength requirements, 2) password usage methods, and 3) password reset requirements. Those measures were combined into the single index that represents the current authentication methods. This study revealed that there is no significant difference in the ways that authentication methods are employed between the two groups of ISs. This research validated the criteria proposed for the AMSI using a panel of experts drawn from industry and academia. Simultaneously, the same panel provided preferences for the relative weight of specific criteria within some measures. The panel of experts also assessed the relative weight of each measure within the AMSI. Once the criteria were verified and the elicited weights were computed, an opportunity sample of Web-based ISs in the two groups identified earlier were assessed to ascertain the values for the criteria that comprise the AMSI. After completion of pre-analysis data screening, the collected data were assessed using the results of the AMSI benchmarking tool. Results of the comparison within and between the two sample groups are presented. This research found that the AMSI can be used as a mechanism to measure some aspects of the authentication methods used by Web-based systems. There was no measurable significance in the differences between the samples groups. However, IS designers, quality assurance teams, and information security practitioners charged with validating ISs methods may choose to use it to measure the effectiveness of such authentication methods. This can enable continuous improvement of authentication methods employed in such Web-based systems.

Authentication

E-learning

Healthcare

Information Security

Security Management

Computer Sciences

Atestamento em arquitetura aberta de serviços (SOA): um arcabouço para validação de legitimidade dos consumidores de serviços e seus dispositivos de acesso. / Validation of consumers in services oriented architecture (SOA): a framework to validate legitimacy of service consumers and their access means.

Silva, Richard Flávio da

17 June 2010

Em Arquiteturas Abertas e Orientadas a Serviços (Service Oriented Architectures - SOA) a preocupação com a área de segurança tem recebido importante atenção no desenho das aplicações em função das vulnerabilidades intrínsecas associadas a este novo paradigma. Este trabalho tem por objetivo propor um arcabouço para o desenvolvimento seguro de aplicações em SOA, com foco nos aspectos de segurança através da validação dos consumidores de serviços e seus dispositivos de acesso. Para este objetivo, foi conduzido um estudo sobre as abordagens tradicionais para a segurança em soluções Web uma vez que esta é a plataforma predominante na implementação de soluções SOA. Neste estudo, foi identificado que uma área fértil para contribuição à segurança em soluções SOA é o atestamento dos componentes ou programas consumidores de serviços. Por atestamento, deve-se entender um processo de verificação da legitimidade dos participantes (indivíduos, hardware e software) de uma cadeia de acesso. Como resultado deste trabalho, foi proposto um arcabouço, denominado ASACS (Arcabouço para Segurança por Atestamento dos Consumidores de Serviços), para controle de acesso aos serviços baseado na validação de etapas de atestamento dos consumidores. Estas etapas vão desde o fornecimento de informações sobre a plataforma de execução dos consumidores até a análise comportamental para definir o grau de confiança de cada consumidor em uma rede distribuída de serviços. A utilização do arcabouço traz um importante reforço à segurança ao buscar a negação de acesso a consumidores mal intencionados, não legítimos ou que tenham sido alvo de ataque. Como principal contribuição, este arcabouço orienta uma abordagem estruturada para a validação de legitimidade dos consumidores e de seus dispositivos e programas de acesso, resultando na necessidade de um aumento dos esforços requeridos para um ataque na tentativa de violar a segurança dos serviços oferecidos. / In Service Oriented Architectures (SOA) the concern with security has received important focus on solution design as a consequence of intrinsic vulnerabilities at the basis of this new paradigm. This work proposes a framework to secure development of SOA applications, with a special attention to security matters regarding validation of service consumers and its access means. In order to accomplish this goal, it was conducted a research over traditional approaches for security in Web applications, considering that Web platform is definitely dominant for SOA implementation. In this research, validation of service consumers was figured out as a promising area to security enforcement. Validation of service consumers states for a process to verify legitimacy of participants (individuals, hardware and software) in an access chain. As result of this work, it was proposed the framework ASACS designed to control accesses to service providers based on consumers legitimacy validation stages. Such validation stages cover since a check of client stations boot stack layers until a behavioral monitoring to graduate trust levels for each consumer in a network of distributed services. The framework adoption promotes security enforcement while avoiding access from malicious consumers, non legitimate ones or genuine consumers compromised by an attacker. As principal contribution, this framework guides to a structured approach to validate legitimacy of consumers and its programs and access means, requiring higher levels of efforts to an attack attempting violate the security of published services.

Atestamento

Autenticação

Authentication

Legitimacy

Security

Segurança

SOA

SOA

Web

Web

A secure one-use dynamic backdoor password system based on public key cryptography.

January 2002

Yu Haitao. / Thesis (M.Phil.)--Chinese University of Hong Kong, 2002. / Includes bibliographical references (leaves 71). / Abstracts in English and Chinese. / Chapter Chapter 1. --- Introduction --- p.1 / Chapter 1.1 --- Introduction --- p.1 / Chapter 1.2 --- Thesis organization --- p.6 / Chapter Chapter 2. --- Conventional password authentication and backdoor password schemes --- p.7 / Chapter 2.1 --- Password and password authentication --- p.7 / Chapter 2.1.1 --- Introduction to password and its security problems --- p.7 / Chapter 2.1.2 --- Front-door passwords vs. backdoor passwords --- p.8 / Chapter 2.1.3 --- Dynamic passwords vs. static passwords --- p.9 / Chapter 2.2 --- Forgotten-password problem --- p.10 / Chapter Chapter 3. --- Introduction to Cryptography --- p.12 / Chapter 3.1 --- Introduction to information security --- p.12 / Chapter 3.2 --- Conventional cryptography --- p.16 / Chapter 3.3 --- Public-key cryptography --- p.21 / Chapter 3.4 --- RSA cryptosystem --- p.24 / Chapter 3.5 --- One-way function --- p.27 / Chapter 3.6 --- Digital signature --- p.30 / Chapter 3.7 --- Secret sharing --- p.34 / Chapter 3.8 --- Zero-knowledge proof --- p.34 / Chapter 3.9 --- Key management --- p.36 / Chapter 3.9.1 --- Key distribution in conventional cryptography --- p.36 / Chapter 3.9.2 --- Distribution of public keys --- p.39 / Chapter Chapter 4. --- A secure one-use dynamic backdoor password system based on Public Key Cryptography --- p.42 / Chapter 4.1 --- System objectives --- p.42 / Chapter 4.2 --- Simple system and analysis --- p.45 / Chapter 4.2.1 --- System diagram --- p.45 / Chapter 4.2.2 --- System protocol --- p.46 / Chapter 4.2.3 --- Applied technologies --- p.50 / Chapter 4.2.4 --- System security analysis --- p.52 / Chapter 4.3 --- Multi-user system and analysis --- p.55 / Chapter 4.3.1 --- Modification to the system diagram --- p.56 / Chapter 4.3.2 --- Modification to the system protocol --- p.57 / Chapter 4.3.3 --- System analysis for multi-user system --- p.64 / Chapter 4.4 --- Applicable modes and analysis --- p.66 / Chapter 4.5 --- Conclusion --- p.68 / Chapter Chapter 5. --- Conclusion --- p.69 / Bibliography --- p.71 / Appendix --- p.72 / Chapter A. --- Algorithm of MD5 --- p.72 / Chapter B. --- Algorithm of DSA --- p.76 / Chapter C. --- Algorithm of RSA --- p.79

Public key cryptography

Computers--Access control--Passwords

Computer security

Authentication

L'authenticité des oeuvres d'art / Authenticity of works of art

Bekkar, Anissa

13 December 2017

C’est à partir du XIXème siècle, qui signe l’avènement de la conception romantique de l'artiste, que l'authenticité devient la qualité première de l’oeuvre d’art. Conditionnant la valeur de l’oeuvre sur les plans économique et artistique, l’authenticité apparaît toutefois comme difficile à définir dans la mesure où elle repose sur une réalité complexe. Elle est en outre mal aisée à prouver, l’incertitude étant le propre de l’histoire de l’art. Amené à composer avec ces contraintes, c’est principalement via l'erreur sur les qualités essentielles et le droit de la responsabilité civile que le droit des obligations appréhende la question de l’authenticité. Les solutions qu’il apporte, satisfaisantes en terme de protection des contractants, manquent toutefois de pertinence face aux nouvelles formes de création et à la réalité du travail de l’expert. / As a consequence of the romantic conception of artists, the intense interest in authenticity of works of art is relatively recent. Being the key to the determination of both their economic and artistic values, authenticity is hard to define as it is based on a complex reality. It is also uneasy to prove, as art history remains uncertain in many aspects. As it is currently defined in french contract and tort law, authenticity is meant to ensure parties’ consent. However, this conception might not be relevant in the light of contemporary forms of art and art authentication.

Authenticité

Expertise

Obligation (droit)

Originalité

Authentication

Authenticity

Contract

Tort

340

Cloud BI : a multi-party authentication framework for securing business intelligence on the Cloud

Al-Aqrabi, Hussain

January 2016

Business intelligence (BI) has emerged as a key technology to be hosted on Cloud computing. BI offers a method to analyse data thereby enabling informed decision making to improve business performance and profitability. However, within the shared domains of Cloud computing, BI is exposed to increased security and privacy threats because an unauthorised user may be able to gain access to highly sensitive, consolidated business information. The business process contains collaborating services and users from multiple Cloud systems in different security realms which need to be engaged dynamically at runtime. If the heterogamous Cloud systems located in different security realms do not have direct authentication relationships then it is technically difficult to enable a secure collaboration. In order to address these security challenges, a new authentication framework is required to establish certain trust relationships among these BI service instances and users by distributing a common session secret to all participants of a session. The author addresses this challenge by designing and implementing a multiparty authentication framework for dynamic secure interactions when members of different security realms want to access services. The framework takes advantage of the trust relationship between session members in different security realms to enable a user to obtain security credentials to access Cloud resources in a remote realm. This mechanism can help Cloud session users authenticate their session membership to improve the authentication processes within multi-party sessions. The correctness of the proposed framework has been verified by using BAN Logics. The performance and the overhead have been evaluated via simulation in a dynamic environment. A prototype authentication system has been designed, implemented and tested based on the proposed framework. The research concludes that the proposed framework and its supporting protocols are an effective functional basis for practical implementation testing, as it achieves good scalability and imposes only minimal performance overhead which is comparable with other state-of-art methods.

004.67

Impact of access control and copyright in e-learning from user's perspective in the United Kingdom

Akmayeva, Galina

January 2017

The widespread adoption of E-Learning has largely been driven by the recommendations of educational technologists seeking to convey the benefits of E-Learning as a valuable accessory to teaching and possible solution for distance-based education. Research in the E-Learning domain has mainly focused on providing and delivering content andinfrastructure. Security issues are usually not taken as central concern in most implementations either because systems are usually deployed in controlled environments, or because they take the one-to-one tutoring approach, not requiring strict security measures. The scope of this research work is to investigate the impact of Access Control and Copyright in E-Learning system. An extensive literature review, theories from the field of information systems, psychology and cognitive sciences, distance and online learning, as well as existing E-Learning models show that research in E-learning is still hardly concerned with the issues of security. It is obvious that E-learning receives a new meaning as technology advances and business strategies change. The trends of learning methods have also led to the adjustment of National Curriculum and standards. However, research has also shown that any strategy or development supported by the Internet requires security and is therefore faced with challenges. This thesis is divided into six Chapters. Chapter 1 sets the scene for the research rationale and hypotheses, and identifies the aims and objectives. Chapter 2 presents the theoretical background and literature review. Chapter 3 is an in-depth review of the methods and methodology with clear justification of their adaptation and explains the underlying principles. Chapter 4 is based on the results and limitations obtained from the six case studies observations supported with literature review and ten existing models, while Chapter 5 is focused on the questionnaire survey. Chapter 6 describes the proposed Dynamic E-Learning Access Control and Copyright Framework (DEACCF) and the mapping of the threats from the Central Computing and Telecommunications Agency (CCTA) Risk Analysis and Management Method (CRAMM) to Annualised Loss Expectancy (ALE). Chapter 7 presents the conclusions and recommendations, and the contribution to knowledge with further development plans for future work.

Atestamento em arquitetura aberta de serviços (SOA): um arcabouço para validação de legitimidade dos consumidores de serviços e seus dispositivos de acesso. / Validation of consumers in services oriented architecture (SOA): a framework to validate legitimacy of service consumers and their access means.

Richard Flávio da Silva

17 June 2010

Em Arquiteturas Abertas e Orientadas a Serviços (Service Oriented Architectures - SOA) a preocupação com a área de segurança tem recebido importante atenção no desenho das aplicações em função das vulnerabilidades intrínsecas associadas a este novo paradigma. Este trabalho tem por objetivo propor um arcabouço para o desenvolvimento seguro de aplicações em SOA, com foco nos aspectos de segurança através da validação dos consumidores de serviços e seus dispositivos de acesso. Para este objetivo, foi conduzido um estudo sobre as abordagens tradicionais para a segurança em soluções Web uma vez que esta é a plataforma predominante na implementação de soluções SOA. Neste estudo, foi identificado que uma área fértil para contribuição à segurança em soluções SOA é o atestamento dos componentes ou programas consumidores de serviços. Por atestamento, deve-se entender um processo de verificação da legitimidade dos participantes (indivíduos, hardware e software) de uma cadeia de acesso. Como resultado deste trabalho, foi proposto um arcabouço, denominado ASACS (Arcabouço para Segurança por Atestamento dos Consumidores de Serviços), para controle de acesso aos serviços baseado na validação de etapas de atestamento dos consumidores. Estas etapas vão desde o fornecimento de informações sobre a plataforma de execução dos consumidores até a análise comportamental para definir o grau de confiança de cada consumidor em uma rede distribuída de serviços. A utilização do arcabouço traz um importante reforço à segurança ao buscar a negação de acesso a consumidores mal intencionados, não legítimos ou que tenham sido alvo de ataque. Como principal contribuição, este arcabouço orienta uma abordagem estruturada para a validação de legitimidade dos consumidores e de seus dispositivos e programas de acesso, resultando na necessidade de um aumento dos esforços requeridos para um ataque na tentativa de violar a segurança dos serviços oferecidos. / In Service Oriented Architectures (SOA) the concern with security has received important focus on solution design as a consequence of intrinsic vulnerabilities at the basis of this new paradigm. This work proposes a framework to secure development of SOA applications, with a special attention to security matters regarding validation of service consumers and its access means. In order to accomplish this goal, it was conducted a research over traditional approaches for security in Web applications, considering that Web platform is definitely dominant for SOA implementation. In this research, validation of service consumers was figured out as a promising area to security enforcement. Validation of service consumers states for a process to verify legitimacy of participants (individuals, hardware and software) in an access chain. As result of this work, it was proposed the framework ASACS designed to control accesses to service providers based on consumers legitimacy validation stages. Such validation stages cover since a check of client stations boot stack layers until a behavioral monitoring to graduate trust levels for each consumer in a network of distributed services. The framework adoption promotes security enforcement while avoiding access from malicious consumers, non legitimate ones or genuine consumers compromised by an attacker. As principal contribution, this framework guides to a structured approach to validate legitimacy of consumers and its programs and access means, requiring higher levels of efforts to an attack attempting violate the security of published services.

Atestamento

Autenticação

Segurança

SOA

Web

Authentication

Legitimacy

Security

SOA

Web