Global ETD Search

21	Exploring the conflict of interest between knowledge-sharing and information security practices : an empirical case study Ahmed, Ghosia January 2017 (has links) Knowledge sharing and information security have become well-established concepts in academia and within organisations. Knowledge sharing aims to encourage individuals to share tacit and explicit knowledge with colleagues and stakeholders, yet on the other hand, information security initiatives aim to apply controls and restrictions to the knowledge that can be shared and how it can be shared, where the primary focus is usually on protecting explicit knowledge or information. This thesis draws attention to the largely unexplored and under-developed area of knowledge protection ; it investigates the paradoxical and concurrent nature of knowledge sharing and information security practices by exploring their relationship and understanding how this can affect an organisation and subsequently identifies ways of achieving a balance between the two practices. The empirical work was carried out through an interpretivist case study approach in the Energy Technologies Institute (ETI) an organisation that combines knowledge and expertise from partnerships with academia, industry and the UK government, in order to deliver innovative low carbon solutions. A novel team-based action learning approach was developed to generate individual, team and organisational learning and to help initiate change; the data was collected from three project teams about their knowledge and experiences of knowledge sharing and information security practices, which was then analysed and further supplemented with the ETI s organisational perspective and the researcher s own experience of collaborating with the ETI to contextualise the findings. Eight predominant overarching themes were identified that play an important role in and influence the organisation s knowledge sharing and information security practices. When looking at the practices of knowledge sharing and information security independently at the ETI, proactive and conscious efforts towards achieving the goals of each practice are evident. Knowledge is recognised as the ETI s core product and its effective dissemination is key for the organisation s success, which is why there is a keen attitude towards improving knowledge sharing internally and externally. On the other hand, a great deal of importance is given to protecting valuable knowledge and meeting stakeholders confidentiality requirements, thus, there are good systems, access controls, and information restrictions in place. In addition, strict legal and approval processes to protect information value and accuracy are implemented. However, when both knowledge sharing and information security - practices are compared from a broader perspective, evidence of issues arising from their conflicting nature is evident. Moreover, operating in a complex governance structure with various expectations and contractual agreements with stakeholders regarding confidentiality, has created a protective culture in the organisation surrounding its knowledge, which causes a hindrance to formal and informal knowledge sharing (including both, tacit and explicit forms) and makes identifying opportunities for fully exploiting knowledge and Intellectual Property an ongoing operational challenge. The research process facilitated the achievement of effective learning at individual, team and organisational level for the ETI about its practices, identification of challenges and areas of improvement, incorporation of learning and recommendations into its knowledge management strategy alongside existing activities to improve knowledge sharing. The contents of this thesis particularly the eight themes that have emerged from the research findings - are also contributing significantly to a project the organisation is carrying out to reflect on and review what has been learned from operating the ETI for the last 10 years. The thesis contributes to the existing body of knowledge, theoretically and practically, in the disciplines of knowledge management and information security; what was predominantly overlooked by previous literature, the empirical research findings surface evidence of the relationship between knowledge sharing and information security practices, showing their interconnectedness, and, the negative consequences of the two practices being treated and managed separately. For the action learning arena, a novel methodological approach underpinned by the action learning philosophy has been introduced that demonstrates how team action learning (i.e. using intact teams as opposed to conventional action learning teams) can be used to engage employees to share and combine their knowledge on real organisational issues, generate new learning and develop actions to initiate improvements in the organisation.
22	Security vulnerability verification through contract-based assertion monitoring at runtime Hoole, Alexander M. 08 January 2018 (has links) In this dissertation we seek to identify ways in which the systems development life cycle (SDLC) can be augmented with improved software engineering practices to measurably address security concerns that have arisen relating to security vulnerability defects in software. By proposing a general model for identifying potential vulnerabilities (weaknesses) and using runtime monitoring for verifying their reachability and exploitability during development and testing reduces security risk in delivered products. We propose a form of contract for our monitoring framework that is used to specify the environmental and system security conditions necessary for the generation of probes that monitor security assertions during runtime to verify suspected vulnerabilities. Our assertion-based security monitoring framework, based on contracts and probes, known as the Contract-Based Security Assertion Monitoring Framework (CB_SAMF) can be employed for verifying and reacting to suspected vulnerabilities in the application and kernel layers of the Linux operating system. Our methodology for integrating CB_SAMF into SDLC during development and testing to verify suspected vulnerabilities reduces the human effort by allowing developers to focus on fixing verified vulnerabilities. Metrics intended for the weighting, prioritizing, establishing confidence, and detectability of potential vulnerability categories are also introduced. These metrics and weighting approaches identify deficiencies in security assurance programs/products and also help focus resources towards a class of suspected vulnerabilities, or a detection method, which may presently be outside of the requirements and priorities of the system. Our empirical evaluation demonstrates the effectiveness of using contracts to verify exploitability of suspected vulnerabilities across five input validation related vulnerability types, combining our contracts with existing static analysis detection mechanisms, and measurably improving security assurance processes/products used in an enhanced SDLC. As a result of this evaluation we introduced two new security assurance test suites, through collaborations with the National Institute of Standards and Technology (NIST), replacing existing test suites. The new and revised test cases provide numerous improvements to consistency, accuracy, and preciseness along with enhanced test case metadata to aid researchers using the Software Assurance Reference Dataset (SARD). / Graduate Security and protection Quality assurance Testing tools Metrics/measurement Evaluation strategy Security Runtime monitoring Static analysis
23	ENHANCING PRIVACY OF TRAINING DATA OF DEEP NEURAL NETWORKS ON EDGE USING TRUSTED EXECUTION ENVIRONMENTS Gowri Ramshankar (18398499) 18 April 2024 (has links) <p dir="ltr">Deep Neural Networks (DNNs) are deployed in many applications and protecting the privacy of training data has become a major concern. Membership Inference Attacks (MIAs) occur when an unauthorized person is able to determine whether a piece of data is used in training the DNNs. This paper investigates using Trusted Execution Environments (TEEs) in modern processors to protect the privacy of training data. Running DNNs on TEE, however, encounters many challenges, including limited computing and storage resources as well as a lack of development frameworks. This paper proposes a new method to partition pre-trained DNNs so that parts of the DNNs can fit into TEE to protect data privacy. The existing software infrastructure for running DNNs on TEE requires a significant amount of human effort using C programs. However, most existing DNNs are implemented using Python. This paper presents a framework that can automate most parts of the process of porting Python-based DNNs to TEE. The proposed method is deployed in Arm TrustZone-A on Raspberry Pi 3B+ with OPTEE-OS and evaluated on popular image classification models - AlexNet, ResNet, and VGG. Experimental results show that our method can reduce the accuracy of gradient-based MIAs on AlexNet, VGG- 16, and ResNet-20 evaluated on the CIFAR-100 dataset by 17.9%, 11%, and 35.3%. On average, processing an image in the native execution environment takes 4.3 seconds, whereas in the Trusted Execution Environment (TEE), it takes about 10.1 seconds per image.<br><br></p> Computer vision Image processing Data and information privacy Data security and protection Hardware security Deep Learning Hardware Security
24	<b>USER-CENTERED DATA ACCESS CONTROL TECHNIQUES FOR SECURE AND PRIVACY-AWARE MOBILE SYSTEMS</b> Reham Mohamed Sa Aburas (18857674) 25 June 2024 (has links) <p dir="ltr">The pervasive integration of mobile devices in today’s modern world, e.g., smartphones, IoT, and mixed-reality devices, has transformed various domains, enhancing user experiences, yet raising concerns about data security and privacy. Despite the implementation of various measures, such as permissions, to protect user privacy-sensitive data, vulnerabilities persist. These vulnerabilities pose significant threats to user privacy, including the risk of side-channel attacks targeting low-permission sensors. Additionally, the introduction of new permissions, such as the App Tracking Transparency framework in iOS, seeks to enhance user transparency and control over data sharing practices. However, these framework designs are accompanied by ambiguous developer guidelines, rendering them susceptible to deceptive patterns. These patterns can influence user perceptions and decisions, undermining the intended purpose of these permissions. Moreover, the emergence of new mobile technologies, e.g., mixed-reality devices, presents novel challenges in ensuring secure data sharing among multiple users in collaborative environments, while preserving usability.</p><p dir="ltr">In this dissertation, I focus on developing user-centered methods for enhancing the security and privacy of mobile system, navigating through the complexities of unsolicited data access strategies and exploring innovative approaches to secure device authentication and data sharing methodologies.</p><p dir="ltr">To achieve this, first, I introduce my work on the iStelan system, a three-stage side-channel attack. This method exploits the low-permission magnetometer sensor in smartphones to infer user sensitive touch data and application usage patterns. Through an extensive user study, I demonstrate the resilience of iStelan across different scenarios, surpassing the constraints and limitations of prior research efforts.</p><p dir="ltr">Second, I present my analysis and study on the App Tracking Transparency permission in iOS. Specifically, my work focuses on analyzing and detecting the dark patterns employed by app developers in the permission alerts to obtain user consent. I demonstrate my findings on the dark patterns observed in permission alerts on a large-scale of apps collected from Apple’s store, using both static and dynamic analysis methods. Additionally, I discuss the application of a between-subject user study to evaluate users’ perceptions and understanding when exposed to different alert patterns.</p><p dir="ltr">Lastly, I introduce StareToPair, a group pairing system that leverages multi-modal sensing technologies in mixed-reality devices to enable secure data sharing in collaborative settings. StareToPair employs a sophisticated threat model capable of addressing various real-world scenarios, all while ensuring high levels of scalability and usability.</p><p dir="ltr">Through rigorous investigation, theoretical analysis and user studies, my research endeavors enhance the field of security and privacy for mobile systems. The insights gained from these studies offer valuable guidance for future developments in mobile systems, ultimately contributing to the design of user-centered secure and privacy-aware mobile ecosystems.</p> Data security and protection System and network security Mobile computing Mobile Security & Privacy Usable Security
25	TECHNIQUES TO SECURE AND MONITOR CLIENT DATABASE APPLICATIONS Daren Khaled Fadolalkarim (19200958) 23 July 2024 (has links) <p dir="ltr">In this thesis, we aim at securing database applications in different ways. We have designed, implemented and experimentally evaluated two systems, AD-PROM and DCAFixer. AD-PROM has the goal to monitor database application while running to detect changes in applications’ behaviors at run time. DCAFixer, focus on securing database applications at the early development stages, i.e., coding and testing.</p> Data security and protection Software and application security Database security Program Analysis software security Automated Program Repair
26	Adversarial Attacks Against Network Intrusion Detection Systems Sanidhya Sharma (19203919) 26 July 2024 (has links) <p dir="ltr">The explosive growth of computer networks over the past few decades has significantly enhanced communication capabilities. However, this expansion has also attracted malicious attackers seeking to compromise and disable these networks for personal gain. Network Intrusion Detection Systems (NIDS) were developed to detect threats and alert users to potential attacks. As the types and methods of attacks have grown exponentially, NIDS have struggled to keep pace. A paradigm shift occurred when NIDS began using Machine Learning (ML) to differentiate between anomalous and normal traffic, alleviating the challenge of tracking and defending against new attacks. However, the adoption of ML-based anomaly detection in NIDS has unraveled a new avenue of exploitation due to the inherent inadequacy of machine learning models - their susceptibility to adversarial attacks.</p><p dir="ltr">In this work, we explore the application of adversarial attacks from the image domain to bypass Network Intrusion Detection Systems (NIDS). We evaluate both white-box and black-box adversarial attacks against nine popular ML-based NIDS models. Specifically, we investigate Projected Gradient Descent (PGD) attacks on two ML models, transfer attacks using adversarial examples generated by the PGD attack, the score-based Zeroth Order Optimization attack, and two boundary-based attacks, namely the Boundary and HopSkipJump attacks. Through comprehensive experiments using the NSL-KDD dataset, we find that logistic regression and multilayer perceptron models are highly vulnerable to all studied attacks, whereas decision trees, random forests, and XGBoost are moderately vulnerable to transfer attacks or PGD-assisted transfer attacks with approximately 60 to 70% attack success rate (ASR), but highly susceptible to targeted HopSkipJump or Boundary attacks with close to a 100% ASR. Moreover, SVM-linear is highly vulnerable to both transfer attacks and targeted HopSkipJump or Boundary attacks achieving around 100% ASR, whereas SVM-rbf is highly vulnerable to transfer attacks with a 77% ASR but only moderately to targeted HopSkipJump or Boundary attacks with a 52% ASR. Finally, both KNN and Label Spreading models exhibit robustness against transfer-based attacks with less than 30% ASR but are highly vulnerable to targeted HopSkipJump or Boundary attacks with a 100% ASR with a large perturbation. Our findings may provide insights for designing future NIDS that are robust against potential adversarial attacks.</p> Data security and protection System and network security Machine Learning Deep Learning Network Intrusion Detection Systems
27	Real-time analysis of aggregate network traffic for anomaly detection Kim, Seong Soo 29 August 2005 (has links) The frequent and large-scale network attacks have led to an increased need for developing techniques for analyzing network traffic. If efficient analysis tools were available, it could become possible to detect the attacks, anomalies and to appropriately take action to contain the attacks before they have had time to propagate across the network. In this dissertation, we suggest a technique for traffic anomaly detection based on analyzing the correlation of destination IP addresses and distribution of image-based signal in postmortem and real-time, by passively monitoring packet headers of traffic. This address correlation data are transformed using discrete wavelet transform for effective detection of anomalies through statistical analysis. Results from trace-driven evaluation suggest that the proposed approach could provide an effective means of detecting anomalies close to the source. We present a multidimensional indicator using the correlation of port numbers as a means of detecting anomalies. We also present a network measurement approach that can simultaneously detect, identify and visualize attacks and anomalous traffic in real-time. We propose to represent samples of network packet header data as frames or images. With such a formulation, a series of samples can be seen as a sequence of frames or video. Thisenables techniques from image processing and video compression such as DCT to be applied to the packet header data to reveal interesting properties of traffic. We show that ??scene change analysis?? can reveal sudden changes in traffic behavior or anomalies. We show that ??motion prediction?? techniques can be employed to understand the patterns of some of the attacks. We show that it may be feasible to represent multiple pieces of data as different colors of an image enabling a uniform treatment of multidimensional packet header data. Measurement-based techniques for analyzing network traffic treat traffic volume and traffic header data as signals or images in order to make the analysis feasible. In this dissertation, we propose an approach based on the classical Neyman-Pearson Test employed in signal detection theory to evaluate these different strategies. We use both of analytical models and trace-driven experiments for comparing the performance of different strategies. Our evaluations on real traces reveal differences in the effectiveness of different traffic header data as potential signals for traffic analysis in terms of their detection rates and false alarm rates. Our results show that address distributions and number of flows are better signals than traffic volume for anomaly detection. Our results also show that sometimes statistical techniques can be more effective than the NP-test when the attack patterns change over time. Network traffic analysis traffic engineering image processing scene analysis network anomaly detection estimation and detection network security and protection network modeling and characterization
28	IT Security Risk Management of Cloud Computing Services in Critical Infrastructures Adelmeyer, Michael 27 February 2020 (has links) Due to the considerable advantages of cloud computing, such as cost efficiency, flexibility, and scalability, the technology has transformed the means of IT service provisioning. To realize the proclaimed benefits, critical infrastructure providers, as the backbone of societal life, increasingly deploy their IT services, processes, and functions in cloud environments. However, as the control over the underlying cloud infrastructure and the corresponding security measures is delegated to the cloud provider, the outsourcing to cloud environments exposes critical infrastructures to security risks. This is especially crucial since critical infrastructures highly rely on IT systems for dependable service provisioning. In addition, each cloud deployment is afflicted with individual risks depending on the selected cloud service and deployment model. Due to the strict requirements and regulations regarding the IT security of their landscapes, the management of IT security risks related to the adoption of cloud services is of significant importance for critical infrastructures. Thus, the objective of this thesis is to examine the IT security risk management of cloud services in critical infrastructures. For this purpose, frameworks, conceptual models, prototypical tools, action recommendations, and implications are developed. Besides the investigation of the status quo of cloud computing service adoption in German critical infrastructures, implications and methods for an adequate management of IT security and the corresponding risks resulting from the adoption of cloud computing services are derived. Further, in the context of the interaction between critical infrastructure and cloud computing service providers, the role of trust is examined. In addition, frameworks and prototypes for a tool support for the IT security risk management of cloud services in critical infrastructures are developed. As an underlying analytical framework, a multi-method approach is chosen to examine the field from a behavioral- as well as a design-oriented perspective by applying various qualitative and quantitative research methods. The results of this dissertation can support decision makers and researchers in the field of the IT security risk management of cloud computing services in critical infrastructures. IT Security IT Risk Management Cloud Computing Critical Infrastructures Trust Privacy K.6.5 - Security and Protection ddc:000
29	Mechanism Design in Defense against Offline Password Attacks Wenjie Bai (16051163) 15 June 2023 (has links) <p>The prevalence of offline password attacks, resulting from attackers breaching authentication servers and stealing cryptographic password hashes, poses a significant threat. Users' tendency to select weak passwords and reuse passwords across multiple accounts, coupled with computation advancement, further exacerbate the danger.</p> <p><br></p> <p>This dissertation addresses this issue by proposing password authentication mechanisms that aim to minimize the number of compromised passwords in the event of offline attacks, while ensuring that the server's workload remains manageable. Specifically, we present three mechanisms: (1) DAHash: This mechanism adjusts password hashing costs based on the strength of the underlying password. Through appropriate tuning of hashing cost parameters, the DAHash mechanism effectively reduces the fraction of passwords that can be cracked by an offline password cracker. (2) Password Strength Signaling: We explore the application of Bayesian Persuasion to password authentication. The key idea is to have the authentication server store a noisy signal about the strength of each user password for an offline attacker to find. We demonstrate that by appropriately tuning the noise distribution for the signal, a rational attacker will crack fewer passwords. (3) Cost-Asymmetric Memory Hard Password Hashing: We extend the concept of password peppering to modern Memory Hard password hashing algorithms. We identify limitations in naive extensions and introduce the concept of cost-even breakpoints as a solution. This approach allows us to overcome these limitations and achieve cost-asymmetry, wherein the expected cost of validating a correct password is significantly smaller than the cost of rejecting an incorrect password.</p> <p><br></p> <p>When analyzing the behavior of a rational attacker it is important to understand the attacker’s guessing curve i.e., the percentage of passwords that the attacker could crack within a guessing budget B. Dell’Amico and Filippone introduced a Monte Carlo algorithm to estimate the guessing number of a password as well as an estimate for the guessing curve. While the estimated guessing number is accurate in expectation the variance can be large and the method does not guarantee that the estimates are accurate with high probability. Thus, we introduce Confident Monte Carlo as a tool to provide confidence intervals for guessing number estimates and upper/lower bound the attacker’s guessing curves.</p> <p><br></p> <p>Moreover, we extend our focus beyond classical attackers to include quantum attackers. We present a decision-theoretic framework that models the rational behavior of attackers equipped with quantum computers. The objective is to quantify the capabilities of a rational quantum attacker and the potential damage they could inflict, assuming optimal decision-making. Our framework can potentially contribute to the development of effective countermeasures against a wide range of quantum pre-image attacks in the future.</p> Data security and protection Password Authentication Mechanism Stackelberg Game Password Strength Estimation Offline Password Attacks Quantum Pre-image Attacks
30	<b>SECURE AUTHENTICATION AND PRIVACY-PRESERVING TECHNIQUES IN VEHICULAR AD-HOC NETWORKS</b> Aala Oqab Alsalem (17075812) 28 April 2024 (has links) <p dir="ltr">VANET is formed by vehicles, road units, infrastructure components, and various con- nected objects.It aims mainly to ensure public safety and traffic control. New emerging applications include value-added and user-oriented services. While this technological ad- vancement promises ubiquitous deployment of the VANET, security and privacy challenges must be addressed. Thence, vehicle authentication is a vital process to detect malicious users and prevent them from harming legitimate communications. Hover, the authentication pro- cess uses sensitive information to check the vehicle’s identity. Sharing this information will harm vehicle privacy. In this thesis, we aim to deal with this issues:</p><ul><li>How can we ensure vehicle authentication and avoid sensitive and identity information leaks simultaneously?</li><li>When nodes are asked to provide identity proof, how can we ensure that the shared information is only used by an authorized entity?</li><li>Can we define an effective scheme to distinguish between legitimate and malicious network nodes?This dissertation aims to address the preservation of vehicle private information used within the authentication mechanism in VANET communications.The VANET characteristics are thoroughly presented and analyzed. Security require- ments and challenges are identified. Additionally, we review the proposed authentication techniques and the most well-known security attacks while focusing on the privacy preser- vation need and its challenges.To fulfill, the privacy preservation requirements, we proposed a new solution called Active Bundle AUthentication Solution based on SDN for Vehicular Networks (ABAUS). We intro- duce the Software Defined Networks (SDN) as an authentication infrastructure to guarantee the authenticity of each participant. Furthermore, we enhance the preservation of sensitive data by the use of an active data Bundle (ADB) as a self-protecting security mechanism. It ensures data protection throughout the whole data life cycle. ABAUS defines a dedicated registration protocol to verify and validate the different members of the network.</li></ul><p dir="ltr">first solution focused on legitimate vehicle identification and sensitive data pro- tection. A second scheme is designed to recognize and eliminate malicious users called BEhaviour-based REPutation scheme for privacy preservation in VANET using blockchain technology (BEREP). Dedicated public blockchains are used by a central trust authority to register vehicles and store their behavior evaluation and a trust scoring system allows nodes to evaluate the behavior of their communicators and detect malicious infiltrated users.</p><p dir="ltr">By enhancing sensitive data preservation during the authentication process and detect- ing malicious attempts, our proposed work helps to tackle serious challenges in VANET communications.</p> Data security and protection System and network security Vehicular Ad hoc Networks Software Defined Networks Privacy Preservation Network Security Authentication

Search results