PapersCut A shortcut to recent security papers

Arxiv

Holmes: An Efficient and Lightweight Semantic Based Anomalous Email Detector

Authors: Peilun Wu, Shiyi Yang, Hui Guo

Abstract: Email threat is a serious issue for enterprise security, which consists of various malicious scenarios, such as phishing, fraud, blackmail and malvertisement. Traditional anti-spam gateway commonly requires to maintain a greylist to filter out unexpected emails based on suspicious vocabularies existed in the mail subject and content. However, the signature-based approach cannot effectively discover novel and unknown suspicious emails that utilize various hot topics at present, such as COVID-19 and US election. To address the problem, in this paper, we present Holmes, an efficient and lightweight semantic based engine for anomalous email detection. Holmes can convert each event log of email to a sentence through word embedding then extract interesting items among them by novelty detection. Based on our observations, we claim that, in an enterprise environment, there is a stable relation between senders and receivers, but suspicious emails are commonly from unusual sources, which can be detected through the rareness selection. We evaluate the performance of Holmes in a real-world enterprise environment, in which it sends and receives around 5,000 emails each day. As a result, Holmes can achieve a high detection rate (output around 200 suspicious emails per day) and maintain a low false alarm rate for anomaly detection.

Date: 16 Apr 2021

PDF »Main page »


Denial of Wallet -- Defining a Looming Threat to Serverless Computing

Authors: Daniel Kelly, Frank G. Glavin, Enda Barrett

Abstract: Serverless computing is the latest paradigm in cloud computing, offering a framework for the development of event driven, pay-as-you-go functions in a highly scalable environment. While these traits offer a powerful new development paradigm, they have also given rise to a new form of cyber-attack known as Denial of Wallet (forced financial exhaustion). In this work, we define and identify the threat of Denial of Wallet and its potential attack patterns. Also, we demonstrate how this new form of attack can potentially circumvent existing mitigation systems developed for a similar style of attack, Denial of Service. Our goal is twofold. Firstly, we will provide a concise and informative overview of this emerging attack paradigm. Secondly, we propose this paper as a starting point to enable researchers and service providers to create effective mitigation strategies. We include some simulated experiments to highlight the potential financial damage that such attacks can cause and the creation of an isolated test bed for continued safe research on these attacks.

Date: 16 Apr 2021

PDF »Main page »


Transparent Electricity Pricing with Privacy

Authors: Daniel Reijsbergen, Zheng Yang, Aung Maw, Tien Tuan Anh Dinh, Jianying Zhou

Abstract: Smart grids leverage data from smart meters to improve operations management and to achieve cost reductions. The fine-grained meter data also enable pricing schemes that simultaneously benefit electricity retailers and users. Our goal is to design a practical dynamic pricing protocol for smart grids in which the rate charged by a retailer depends on the total demand among its users. Realizing this goal is challenging because neither the retailer nor the users are trusted. The first challenge is to design a pricing scheme that incentivizes consumption behavior that leads to lower costs for both the users and the retailer. The second challenge is to prevent the retailer from tampering with the data, for example, by claiming that the total consumption is much higher than its real value. The third challenge is data privacy, that is, how to hide the meter data from adversarial users. To address these challenges, we propose a scheme in which peak rates are charged if either the total or the individual consumptions exceed some thresholds. We formally define a privacy-preserving transparent pricing scheme (PPTP) that allows honest users to detect tampering at the retailer while ensuring data privacy. We present two instantiations of PPTP, and prove their security. Both protocols use secure commitments and zero-knowledge proofs. We implement and evaluate the protocols on server and edge hardware, demonstrating that PPTP has practical performance at scale.

Date: 16 Apr 2021

PDF »Main page »


Achieving differential privacy for $k$-nearest neighbors based outlier detection by data partitioning

Authors: Jens Rauch, Iyiola E. Olatunji, Megha Khosla

Abstract: When applying outlier detection in settings where data is sensitive, mechanisms which guarantee the privacy of the underlying data are needed. The $k$-nearest neighbors ($k$-NN) algorithm is a simple and one of the most effective methods for outlier detection. So far, there have been no attempts made to develop a differentially private ($\epsilon$-DP) approach for $k$-NN based outlier detection. Existing approaches often relax the notion of $\epsilon$-DP and employ other methods than $k$-NN. We propose a method for $k$-NN based outlier detection by separating the procedure into a fitting step on reference inlier data and then apply the outlier classifier to new data. We achieve $\epsilon$-DP for both the fitting algorithm and the outlier classifier with respect to the reference data by partitioning the dataset into a uniform grid, which yields low global sensitivity. Our approach yields nearly optimal performance on real-world data with varying dimensions when compared to the non-private versions of $k$-NN.

Date: 16 Apr 2021

PDF »Main page »


SecDocker: Hardening the Continuous Integration Workflow

Authors: David Fernández González, Francisco Javier Rodríguez Lera, Gonzalo Esteban, Camino Fernández Llamas

Abstract: Current Continuous Integration processes face significant intrinsic cybersecurity challenges. The idea is not only to solve and test formal or regulatory security requirements of source code but also to adhere to the same principles to the CI pipeline itself. This paper presents an overview of current security issues in CI workflow. It designs, develops, and deploys a new tool for the secure deployment of a container-based CI pipeline flow without slowing down release cycles. The tool, called \SD for its Docker-based approach, is publicly available in GitHub. It implements a transparent application firewall based on a configuration mechanism avoiding issues in the CI workflow associated with intended or unintended container configurations. Integrated with other DevOps Engineers tools, it provides feedback from only those scenarios that match specific patterns, addressing future container security issues.

Comment: Preprint: 15 pages, 5 figures, 2 tables. Public repository: https://github.com/uleroboticsgroup/Secdocker

Date: 16 Apr 2021

PDF »Main page »


A Method to Reveal Speaker Identity in Distributed ASR Training, and How to Counter It

Authors: Trung Dang, Om Thakkar, Swaroop Ramaswamy, Rajiv Mathews, Peter Chin, Françoise Beaufays

Abstract: End-to-end Automatic Speech Recognition (ASR) models are commonly trained over spoken utterances using optimization methods like Stochastic Gradient Descent (SGD). In distributed settings like Federated Learning, model training requires transmission of gradients over a network. In this work, we design the first method for revealing the identity of the speaker of a training utterance with access only to a gradient. We propose Hessian-Free Gradients Matching, an input reconstruction technique that operates without second derivatives of the loss function (required in prior works), which can be expensive to compute. We show the effectiveness of our method using the DeepSpeech model architecture, demonstrating that it is possible to reveal the speaker's identity with 34% top-1 accuracy (51% top-5 accuracy) on the LibriSpeech dataset. Further, we study the effect of two well-known techniques, Differentially Private SGD and Dropout, on the success of our method. We show that a dropout rate of 0.2 can reduce the speaker identity accuracy to 0% top-1 (0.5% top-5).

Date: 15 Apr 2021

PDF »Main page »


From Personal Data to Digital Legacy: Exploring Conflicts in the Sharing, Security and Privacy of Post-mortem Data

Authors: Jack Holt, James Nicholson, Jan David Smeddinck

Abstract: As digital technologies become more prevalent there is a growing awareness of the importance of good security and privacy practices. The tools and techniques used to achieve this are typically designed with the living user in mind, with little consideration of how they should or will perform after the user has died. We report on two workshops carried out with users of password managers to explore their views on the post-mortem sharing, security and privacy of a range of common digital assets. We discuss a post-mortem privacy paradox where users recognise value in planning for their digital legacy, yet avoid actively doing so. Importantly, our findings highlight a tension between the use of recommended security tools during life and facilitating appropriate post-mortem access to chosen assets. We offer design recommendations to facilitate and encourage digital legacy planning while promoting good security habits during life.

Comment: WWW '21

Date: 15 Apr 2021

PDF »Main page »


Trust but Verify: Cryptographic Data Privacy for Mobility Management

Authors: Matthew Tsao, Kaidi Yang, Stephen Zoepf, Marco Pavone

Abstract: The era of Big Data has brought with it a richer understanding of user behavior through massive data sets, which can help organizations optimize the quality of their services. In the context of transportation research, mobility data can provide Municipal Authorities (MA) with insights on how to operate, regulate, or improve the transportation network. Mobility data, however, may contain sensitive information about end users and trade secrets of Mobility Providers (MP). Due to this data privacy concern, MPs may be reluctant to contribute their datasets to MA. Using ideas from cryptography, we propose a distributed computation protocol between a MA and a MP in which MA obtains insights from mobility data without MP having to reveal its trade secrets or sensitive data of its users. This is accomplished in two steps: a commitment step, and a computation step. In the first step, Merkle commitments and aggregated traffic measurements are used to generate a cryptographic commitment. In the second step, MP extracts insights from the data and sends them to MA. Using the commitment and zero-knowledge proofs, MA can certify that the information received from MP is accurate, without needing to directly inspect the mobility data. The protocol is strategyproof for both MA and MP in the sense that they cannot benefit from strategic behavior. The protocol can be readily extended to the more realistic setting with multiple MPs via secure multi-party computation.

Date: 15 Apr 2021

PDF »Main page »


Providing a hybrid cryptography algorithm for lightweight authentication protocol in RFID with urban traffic usage case

Authors: V. Chegeni, H. Haj Seyyed javadi, M. R Moazami Goudarzi, A. Rezakhani

Abstract: Today, the Internet of Things (IoT) is one of the emerging technologies that enable the connection and transfer of information through communication networks. The main idea of the IoT is the widespread presence of objects such as mobile devices, sensors, and RFID. With the increase in traffic volume in urban areas, the existing intelligent urban traffic management system based on IoT can be vital. Therefore, this paper focused on security in urban traffic based on using RFID. In our scheme, RFID tags chose as the purpose of this article. We, in this paper, present a mutual authentication protocol that leads to privacy based on hybrid cryptography. Also, an authentication process with RFID tags is proposed that can be read at high speed. The protocol has attempted to reduce the complexity of computing. At the same time, the proposed method can withstand attacks such as spoofing of tag and reader, tag tracking, and replay attack.

Comment: 10 pages,2 figures

Date: 15 Apr 2021

PDF »Main page »


Survey about protection motivation on social networking sites: University of Maribor students, 2018

Authors: Luka Jelovčan, Simon Vrhovec, Damjan Fujs

Abstract: This paper reports on a study aiming to explore factors associated with protection motivation of users on social networking sites. The objectives of this study were to determine how trust in internet service provider, trust in social media provider, trust in government, privacy concerns, fear of government intrusions, locus of control, and perceived threats affect protection motivation of users on social networking sites. The study employed a cross-sectional research design. A survey was conducted among University of Maribor students between October 2018 and January 2019. A total of 289 respondents completed the survey providing for N=276 useful responses after excluding poorly completed responses (27.9 percent response rate). The survey questionnaire was developed in English. A Slovenian translation of the survey questionnaire is available.

Date: 15 Apr 2021

PDF »Main page »


Loading ...