Pokročilá evaluace úrovně privátnosti v sociálních sítích / Advanced Evaluation of Privacy Level in Social Networks

Januš, Filip

January 2020

Nowadays persists a trend of moving interpersonal communication into the online environment. By the reason of the social networks and social network's services. Many users doesn't perceive threats connected with presence in internet environment. This thesis is focused on the analysis of the user's account privacy settings followed by the evaluation of these settings. The goal is to develop and create a tool providing ability to evaluate privacy settings of the user's account, eventually recommend more suitable settings given to user privacy. To achieve these goals is necessary to use a suitable model performing privacy evaluation. The output of the thesis will consist of a proposal and implementation of tool performing analysis, evaluation and recommendation of how to improve the social network's privacy settings. Which should help users reduce the amount of privacy information leakage.

Testing Privacy and Security of Voice Interface Applications in the Internet of Things Era

Shafei, Hassan, 0000-0001-6844-5100

04 1900

Voice User Interfaces (VUI) are rapidly gaining popularity, revolutionizing user interaction with technology through the widespread adoption in devices such as desktop computers, smartphones, and smart home assistants, thanks to significant advancements in voice recognition and processing technologies. Over a hundred million users now utilize these devices daily, and smart home assistants have been sold in massive numbers, owing to their ease and convenience in controlling a diverse range of smart devices within the home IoT environment through the power of voice, such as controlling lights, heating systems, and setting timers and alarms. VUI enables users to interact with IoT technology and issue a wide range of commands across various services using their voice, bypassing traditional input methods like keyboards or touchscreens. With ease, users can inquire in natural language about the weather, stock market, and online shopping and access various other types of general information.However, as VUI becomes more integrated into our daily lives, it brings to the forefront issues related to security, privacy, and usability. Concerns such as the unauthorized collection of user data, the potential for recording private conversations, and challenges in accurately recognizing and executing commands across diverse accents, leading to misinterpretations and unintended actions, underscore the need for more robust methods to test and evaluate VUI services. In this dissertation, we delve into voice interface testing, evaluation for privacy and security associated with VUI applications, assessment of the proficiency of VUI in handling diverse accents, and investigation into access control in multi-user environments. We first study the privacy violations of the VUI ecosystem. We introduced the definition of the VUI ecosystem, where users must connect the voice apps to corresponding services and mobile apps to function properly. The ecosystem can also involve multiple voice apps developed by the same third-party developers. We explore the prevalence of voice apps with corresponding services in the VUI ecosystem, assessing the landscape of privacy compliance among Alexa voice apps and their companion services. We developed a testing framework for this ecosystem. We present the first study conducted on the Alexa ecosystem, specifically focusing on voice apps with account linking. Our designed framework analyzes both the privacy policies of these voice apps and their companion services or the privacy policies of multiple voice apps published by the same developers. Using machine learning techniques, the framework automatically extracts data types related to data collection and sharing from these privacy policies, allowing for a comprehensive comparison. Next, researchers studied the voice apps' behavior to conduct privacy violation assessments. An interaction approach with voice apps is needed to extract the behavior where pre-defined utterances are input into the simulator to simulate user interaction. The set of pre-defined utterances is extracted from the skill's web page on the skill store. However, the accuracy of the testing analysis depends on the quality of the extracted utterances. An utterance or interaction that was not captured by the extraction process will not be detected, leading to inaccurate privacy assessment. Therefore, we revisited the utterance extraction techniques used by prior works to study the skill's behavior for privacy violations. We focused on analyzing the effectiveness and limitations of existing utterance extraction techniques. We proposed a new technique that improved prior work extraction techniques by utilizing the union of these techniques and human interaction. Our proposed technique makes use of a small set of human interactions to record all missing utterances, then expands that to test a more extensive set of voice apps. We also conducted testing on VUI with various accents to study by designing a testing framework that can evaluate VUI on different accents to assess how well VUI implemented in smart speakers caters to a diverse population. Recruiting individuals with different accents and instructing them to interact with the smart speaker while adhering to specific scripts is difficult. Thus, we proposed a framework known as AudioAcc, which facilitates evaluating VUI performance across diverse accents using YouTube videos. Our framework uses a filtering algorithm to ensure that the extracted spoken words used in constructing these composite commands closely resemble natural speech patterns. Our framework is scalable; we conducted an extensive examination of the VUI performance across a wide range of accents, encompassing both professional and amateur speakers. Additionally, we introduced a new metric called Consistency of Results (COR) to complement the standard Word Error Rate (WER) metric employed for assessing ASR systems. This metric enables developers to investigate and rewrite skill code based on the consistency of results, enhancing overall WER performance. Moreover, we looked into a special case related to the access control of VUI in multi-user environments. We proposed a framework for automated testing to explore the access control weaknesses to determine whether the accessible data is of consequence. We used the framework to assess the effectiveness of voice access control mechanisms within multi-user environments. Thus, we show that the convenience of using voice systems poses privacy risks as the user's sensitive data becomes accessible. We identify two significant flaws within the access control mechanisms proposed by the voice system, which can exploit the user's private data. These findings underscore the need for enhanced privacy safeguards and improved access control systems within online shopping. We also offer recommendations to mitigate risks associated with unauthorized access, shedding light on securing the user's private data within the voice systems. / Computer and Information Science

Computer science

Alexa voice applications

Privacy and security in IoT

Smart speaker

Voice assistant

Voice User Interface (VUI)

VUI data privacy

Nová média shromažďující informace o svém publiku a vztah uživatelů k bezpečnosti dat: kvalitativní studie / New media gathering users data and the attitude of users towards internet security: qualitative study

Laube, David

January 2015

The theoretical part of the thesis analyzes the topic of new media and how it works with the privacy of its users. On the examples of applications such as Facebook, or Google services, I refer to the intensive and extensive kind of private information, that are stored on the provider's servers. All these data are not just gathered, but also analyzed and evaluated. Private companies use data of its users in such extension like never before. New media and their activities raises new questions about possible misuse of such data. In this thesis I mention a few examples that are somehow related to the topic of privacy and personal data protection. In the practical part I use the tools of qualitative research to explore how the issue of online privacy and data security is perceived by different user groups and how they explain their behavior. I examined whether the privacy issue is an important one and if their online activity in this context is somehow particularly regulated or restricted. For research I chose two groups of respondents - younger users up to 37 years of age and older aged 55 +. I get information from the respondents in the form of semi-structured interview. These were analyzed and I created new conclusions from it.

Lightweight Cryptographic Group Key Management Protocols for the Internet of Things

Gebremichael, Teklay

January 2019

The Internet of Things (IoT) is increasingly becoming an integral component of many applications in consumer, industrial and other areas. Notions such as smart industry, smart transport, and smart world are, in large part, enabled by IoT. At its core, the IoT is underpinned by a group of devices, such as sensors and actuators, working collaboratively to provide a required service. One of the important requirements most IoT applications are expected to satisfy is ensuring the security and privacy of users. Security is an umbrella term that encompasses notions such as confidentiality, integrity and privacy, that are typically achieved using cryptographic encryption techniques. A special form of communication common in many IoT applications is group communication, where there are two or more recipients of a given message. In or-der to encrypt a message broadcast to a group, it is required that the participating parties agree on a group key a priori. Establishing and managing a group key in IoT environments, where devices are resources-constrained and groups are dynamic, is a non-trivial problem. The problem presents unique challenges with regard to con-structing protocols from lightweight and secure primitives commensurate with the resource-constrained nature of devices and maintaining security as devices dynamically leave or join a group. This thesis presents lightweight group key management protocols proposed to address the aforementioned problem, in a widely adopted model of a generic IoT network consisting of a gateway with reasonable computational power and a set of resource-constrained nodes. The aim of the group key management protocols is to enable the gateway and the set of resource-constrained devices to establish and manage a group key, which is then used to encrypt group messages. The main problems the protocols attempt to solve are establishing a group key among participating IoT devices in a secure and computationally feasible manner; enabling additionor removal of a device to the group in a security preserving manner; and enabling generation of a group session key in an efficient manner without re-running the protocol from scratch. The main challenge in designing such protocols is ensuring that the computations that a given IoT device performs as part of participating in the protocol are computationally feasible during initial group establishment, group keyupdate, and adding or removing a node from the group. The work presented in this thesis shows that the challenge can be overcome by designing protocols from lightweight cryptographic primitives. Specifically, protocols that exploit the lightweight nature of crypto-systems based on elliptic curves and the perfect secrecy of the One Time Pad (OTP) are presented. The protocols are designed in such a way that a resource-constrained member node performs a constant number of computationally easy computations during all stages of the group key management process. To demonstrate that the protocols are practically feasible, implementation resultof one of the protocols is also presented, showing that the protocol outperforms similar state-of-the-art protocols with regard to energy consumption, execution time, memory usage and number of messages generated. / <p>Vid tidpunkten för framläggningen av avhandlingen var följande delarbete opublicerat: delarbete 3 (manuskript).</p><p>At the time of the defence the following paper was unpublished: paper 3 (manuscript).</p> / SMART (Smarta system och tjänster för ett effektivt och innovativt samhälle)

Privacy and security of the IoT

IoT group key management

lightweight key management protocols

elliptic curve cryptography

proximity-based authentication

Computer Sciences

Datavetenskap (datalogi)

Privacy leaks from deep linear networks : Information leak via shared gradients in federated learning systems / Sekretessläckor från djupa linjära nätverk : Informationsläckor via delning av gradienter i distribuerade lärande system

Shi, Guangze

January 2022

The field of Artificial Intelligence (AI) has always faced two major challenges. The first is that data is kept scattered and cannot be collected for more efficiently use. The second is that data privacy and security need to be continuously strengthened. Based on these two points, federated learning is proposed as an emerging machine learning scheme. The idea of federated learning is to collaboratively train neural networks on servers. Each user receives the current weights of the network and then sequentially sends parameter updates (gradients) based on their own data. Because the input data remains on-device and only the parameter gradients are shared, this scheme is considered to be effective in preserving data privacy. Some previous attacks also provide a false sense of security since they only succeed in contrived settings, even for a single image. Our research mainly focus on attacks on shared gradients, showing experimentally that private training data can be obtained from publicly shared gradients. We do experiments on both linear-based and convolutional-based deep networks, whose results show that our attack is capable of creating a threat to data privacy, and this threat is independent of the specific structure of neural networks. The method presented in this paper is only to illustrate that it is feasible to recover user data from shared gradients, and cannot be used as an attack to obtain privacy in large quantities. The goal is to spark further research on federated learning, especially gradient security. We also make some brief discussion on possible strategies against our attack methods of privacy. Different methods have their own advantages and disadvantages in terms of privacy protection. Therefore, data pre-processing and network structure adjustment may need to be further researched, so that the process of training the models can achieve better privacy protection while maintaining high precision. / Området artificiell intelligens har alltid stått inför två stora utmaningar. Den första är att data hålls utspridda och inte kan samlas in för mer effektiv användning. Det andra är att datasekretess och säkerhet behöver stärkas kontinuerligt. Baserat på dessa två punkter föreslås federerat lärande som ett framväxande angreppssätt inom maskininlärning. Tanken med federerat lärande är att tillsammans träna neurala nätverk på servrar. Varje användare får nätverkets aktuella vikter och skickar sedan parameteruppdateringar (gradienter) sekventiellt baserat på sina egna data. Eftersom indata förblir på enheten och endast parametergradienterna delas, anses detta schema vara effektivt för att bevara datasekretessen. Vissa tidigare attacker ger också en falsk känsla av säkerhet eftersom de bara lyckas i konstruerade inställningar, även för en enda bild. Vår forskning fokuserar främst på attacker på delade gradienter, och visar experimentellt att privat träningsdata kan erhållas från offentligt delade gradienter. Vi gör experiment på både linjärbaserade och faltningsbaserade djupa nätverk, vars resultat visar att vår attack kan skapa ett hot mot dataintegriteten, och detta hot är oberoende av den specifika strukturen hos djupa nätverk. Metoden som presenteras i denna rapport är endast för att illustrera att det är möjligt att rekonstruera användardata från delade gradienter, och kan inte användas som en attack för att erhålla integritet i stora mängder. Målet är att få igång ytterligare forskning om federerat lärande, särskilt gradientsäkerhet. Vi gör också en kort diskussion om möjliga strategier mot våra attackmetoder för integritet. Olika metoder har sina egna fördelar och nackdelar när det gäller integritetsskydd. Därför kan förbearbetning av data och justering av nätverksstruktur behöva undersökas ytterligare, så att processen med att träna modellerna kan uppnå bättre integritetsskydd samtidigt som hög precision bibehålls.

Federated learning

Gradient share

Deep neural network

Information leak

Privacy and security

Maskininlärning med flera noder

Gradientdelning

Djupt neuralt nätverk

Informationsläcka

Integritetssäkerhet

Computer and Information Sciences

Data- och informationsvetenskap

Um modelo de gerência de segurança para middleware baseado em tuple para ambientes difusos e nômades. / A model of security management for middleware based on tuple in diffuse and nomadic environments.

Désiré, Nguessan

18 December 2009

Este trabalho explora a gerência de segurança e cooperação de aplicações em sistemas distribuídos móveis. Neste contexto, é feito um estudo sobre os diferentes middlewares para ambientes móveis (mobile middleware): suas capacidades de enfrentar os desafios da mobilidade e da segurança. As análises do estudo mostram que esses middlewares devem possuir características que lhes permitem uma melhor adaptação às necessidades das aplicações e à natureza dos ambientes móveis. Os middlewares existentes pouco abordam a questão da segurança. A segurança ainda é um problema complexo que deve ser gerido em todos os níveis de um sistema distribuído móvel, incluindo novos mecanismos. Com base nessa análise, foi desenvolvido um modelo de gerência de segurança que implementa um mecanismo de autenticação mútua, confidencialidade, detecção de intruso e controle de acesso em ambientes móveis. O objetivo é garantir a confiabilidade, a disponibilidade de serviços e a privacidade do usuário através da tecnologia PET - Privacy-Enhancing Tecnologies. A idéia é fundamentada em agentes interceptadores e autoridades de segurança que distribuem tíquetes de segurança e controlam o acesso a recursos e espaços de tuple do ambiente. O estudo de caso apresentou resultados satisfatórios que permitem julgar a pertinência do modelo proposto. O modelo será integrado a um sistema de e-saúde. / The work exploits the security management and the cooperation of applications in mobile distributed systems. In this context a study of different mobile middleware is made. The study examines their capacities to face the challenges of mobility and security issues. The analysis shows that the existing middleware has very few approaches on security problems; security is still a complex issue to be managed in all the levels of mobile distributed system including new mechanisms. Based on this analysis, a security management model is developed that implements a mechanism for mutual authentication, confidentiality, intrusion detection, access control of mobile agents in mobile environments, ensures services availability and user privacy, through technology PET (Privacy-Enhancing Technologies). The idea is based on interceptor agents and security authorities that distribute security tickets and control the access to resources and Tuple spaces in mobile environment. The proposed model presents good performance and is integrated to an e-health system: Relationship Management with Chronic Patient GRPC.

Agente móvel

Computação difusa

Computação nômade

Espaço tuple

Gerência de segurança e privacidade

Middleware móvel

Mobile agent

Mobile middleware

Nomadic computing

Pervasive computing

PET technology

Privacy and security management

Tecnologia PET

Tuple space

Um modelo de gerência de segurança para middleware baseado em tuple para ambientes difusos e nômades. / A model of security management for middleware based on tuple in diffuse and nomadic environments.

Nguessan Désiré

18 December 2009

Este trabalho explora a gerência de segurança e cooperação de aplicações em sistemas distribuídos móveis. Neste contexto, é feito um estudo sobre os diferentes middlewares para ambientes móveis (mobile middleware): suas capacidades de enfrentar os desafios da mobilidade e da segurança. As análises do estudo mostram que esses middlewares devem possuir características que lhes permitem uma melhor adaptação às necessidades das aplicações e à natureza dos ambientes móveis. Os middlewares existentes pouco abordam a questão da segurança. A segurança ainda é um problema complexo que deve ser gerido em todos os níveis de um sistema distribuído móvel, incluindo novos mecanismos. Com base nessa análise, foi desenvolvido um modelo de gerência de segurança que implementa um mecanismo de autenticação mútua, confidencialidade, detecção de intruso e controle de acesso em ambientes móveis. O objetivo é garantir a confiabilidade, a disponibilidade de serviços e a privacidade do usuário através da tecnologia PET - Privacy-Enhancing Tecnologies. A idéia é fundamentada em agentes interceptadores e autoridades de segurança que distribuem tíquetes de segurança e controlam o acesso a recursos e espaços de tuple do ambiente. O estudo de caso apresentou resultados satisfatórios que permitem julgar a pertinência do modelo proposto. O modelo será integrado a um sistema de e-saúde. / The work exploits the security management and the cooperation of applications in mobile distributed systems. In this context a study of different mobile middleware is made. The study examines their capacities to face the challenges of mobility and security issues. The analysis shows that the existing middleware has very few approaches on security problems; security is still a complex issue to be managed in all the levels of mobile distributed system including new mechanisms. Based on this analysis, a security management model is developed that implements a mechanism for mutual authentication, confidentiality, intrusion detection, access control of mobile agents in mobile environments, ensures services availability and user privacy, through technology PET (Privacy-Enhancing Technologies). The idea is based on interceptor agents and security authorities that distribute security tickets and control the access to resources and Tuple spaces in mobile environment. The proposed model presents good performance and is integrated to an e-health system: Relationship Management with Chronic Patient GRPC.

Agente móvel

Computação difusa

Computação nômade

Espaço tuple

Gerência de segurança e privacidade

Middleware móvel

Tecnologia PET

Mobile agent

Mobile middleware

Nomadic computing

Pervasive computing

PET technology

Privacy and security management

Tuple space

Lite-Agro: Integrating Federated Learning and TinyML on IoAT-Edge for Plant Disease Classification

Dockendorf, Catherine April

05 1900

Lite-Agro studies applications of TinyML in pear (Pyrus communis) tree disease identification and explores hardware implementations with an ESP32 microcontroller. The study works with the DiaMOS Pear Dataset to learn through image analysis whether the leaf is healthy or not, and classifies it according to curl, healthy, spot or slug categories. The system is designed as a low cost and light-duty computing detection edge solution that compares models such as InceptionV3, XceptionV3, EfficientNetB0, and MobileNetV2. This work also researches integration with federated learning frameworks and provides an introduction to federated averaging algorithms.

Computer Science

Engineering, System Science

Agriculture, Plant Pathology